[rsyslog-notify] Forum Thread: rsyslog is duplicating messages and ignoring my filter rules - (Mode 'post')

Wed Feb 11 17:32:03 CET 2015

User: digrouz 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25240#p25240

Message: 
----------
Hello,

I'm trying to have a rsyslog config that log stuff from the Oracle Audit to
/var/log/oracle/audit/oracle_audit.log and avoid that logs to go to
/var/log/messages

I seems to work unless that messages goes to both places, where am I wrong?

Here is my rsyslog config splited in several files:
[code:23tvsi3j]
rsyslog files on this system:

/etc/rsyslog.conf

/etc/rsyslog.d:
00_param_timestamps
10_module_kernel_logging
11_module_logger
20_oracle
30_log_console
31_log_messages
32_log_secure
33_log_maillog
34_log_cron
35_log_emergency
36_log_spooler
37_log_boot

Content of file:/etc/rsyslog.conf
$IncludeConfig /etc/rsyslog.d/

Content of file:/etc/rsyslog.d/00_param_timestamps
# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
Content of file:/etc/rsyslog.d/33_log_maillog
# Log all the mail messages in one place.
mail.*                                                 
/var/log/maillog

Content of file:/etc/rsyslog.d/35_log_emergency
# Everybody gets emergency messages
*.emerg                                                 *

Content of file:/etc/rsyslog.d/32_log_secure
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

Content of file:/etc/rsyslog.d/30_log_console
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

Content of file:/etc/rsyslog.d/37_log_boot
# Save boot messages also to boot.log
local7.*                                               
/var/log/boot.log

Content of file:/etc/rsyslog.d/10_module_kernel_logging
# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog

Content of file:/etc/rsyslog.d/34_log_cron
# Log cron stuff
cron.*                                                  /var/log/cron

Content of file:/etc/rsyslog.d/31_log_messages
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none;               
/var/log/messages

Content of file:/etc/rsyslog.d/20_oracle
if $syslogfacility-text == 'local0' and $programname contains 'Oracle' then
/var/log/oracle/audit/oracle_audit.log
if $syslogfacility-text == 'local0' and $programname contains 'Oracle' then
~
& ~

Content of file:/etc/rsyslog.d/36_log_spooler
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                         
/var/log/spooler

Content of file:/etc/rsyslog.d/11_module_logger
# Provides support for local system logging (e.g. via logger
command)
$ModLoad imuxsock
[/code:23tvsi3j]