Hi, On Fri, Mar 22, 2013 at 03:59:11PM +0100, Gergely Nagy wrote:
> * Fixing the configuration and reloading gets things back in order, no > matter how many times messages were duplicated before. I have a heavily customized config, which does not throw any errors, but triggers the issue on a wheezy box. The config is for a central log-server, which gets syslog via UDP from quite a few hosts and sorts these accordingly. Every day at logrotate a SIGHUP is issued and my /var/log gets full. The ratio is about 1 real message to 3000 (yes, three thousand!) duplicates :/ A real restart solves the issue. I hope this is helful for you to track down the issue.
@version: 3.3 # First, set some global options. options { create_dirs(yes); dir_perm(0755); chain_hostnames(off); flush_lines(0); keep_hostname(yes); }; # # This is the default behavior of sysklogd package # Logs may come from unix stream, but not from another machine. # source localsrc { unix-dgram("/dev/log"); internal(); # Keep a log socket within the postfix chroot unix-stream("/var/spool/postfix/dev/log"); }; # # If you wish to get logs from remote machine you should uncomment # this and comment the above source line. # source remotesrc { udp(); }; # After that set destinations. # First some standard logfile # destination authlog { file("/var/log/auth.log" owner("root") group("adm") perm(0640)); }; destination syslogfile { file("/var/log/syslog" owner("root") group("adm") perm(0640)); }; destination cron { file("/var/log/cron.log" owner("root") group("adm") perm(0640)); }; destination daemon { file("/var/log/daemon.log" owner("root") group("adm") perm(0640)); }; destination kern { file("/var/log/kern.log" owner("root") group("adm") perm(0640)); }; destination lpr { file("/var/log/lpr.log" owner("root") group("adm") perm(0640)); }; destination mail { file("/var/log/mail.log" owner("root") group("adm") perm(0640)); }; destination user { file("/var/log/user.log" owner("root") group("adm") perm(0640)); }; destination uucp { file("/var/log/uucp.log" owner("root") group("adm") perm(0640)); }; # This files are the log come from the mail subsystem. # destination mailinfo { file("/var/log/mail.info" owner("root") group("adm") perm(0640)); }; destination mailwarn { file("/var/log/mail.warn" owner("root") group("adm") perm(0640)); }; destination mailerr { file("/var/log/mail.err" owner("root") group("adm") perm(0640)); }; # Logging for INN news system # destination newscrit { file("/var/log/news/news.crit" owner("root") group("adm") perm(0640)); }; destination newserr { file("/var/log/news/news.err" owner("root") group("adm") perm(0640)); }; destination newsnotice { file("/var/log/news/news.notice" owner("root") group("adm") perm(0640)); }; # Some `catch-all' logfiles. # destination debug { file("/var/log/debug" owner("root") group("adm") perm(0640)); }; destination messages { file("/var/log/messages" owner("root") group("adm") perm(0640)); }; # root's console. # destination console { usertty("root"); }; # Virtual console. # destination console_all { file("/dev/tty8"); }; # The named pipe /dev/xconsole is for the nsole' utility. To use it, # you must invoke nsole' with the -file' option: # # $ xconsole -file /dev/xconsole [...] # # destination xconsole { pipe("/dev/xconsole"); }; destination ppp { file("/var/log/ppp.log" owner("root") group("adm") perm(0640)); }; destination switches { file("/var/log/switches.log" owner("root") group("adm") perm(0640)); }; destination term { file("/var/log/term.log" owner("root") group("adm") perm(0640)); }; # normal single files destination nt { file("/var/log/nt.log" owner("root") group("adm") perm(0640)); }; destination cust_apache { file("/var/log/cust/apache.log" owner("root") group("adm") perm(0640)); }; destination cust_postgres { file("/var/log/cust/postgres.log" owner("root") group("adm") perm(0640)); }; # by-host log file destination d_by_host { file("/var/log/hosts/$FULLHOST/syslog-$YEAR$MONTH$DAY" owner("root") group("adm") perm(0640)); }; ## ## Remote Destinations destination d_logger01 { udp("192.0.2.111" port(514)); }; destination d_logger02 { udp("192.0.2.112" port(514)); }; # Here's come the filter options. With this rules, we can set which # message go where. filter f_switches { facility(local5); }; filter f_term { host("^term[0-9]"); }; filter f_esx { host("^esx[0-9]*"); }; filter f_nt { host("^(windows|fenster)"); }; filter f_authpriv { facility(auth, authpriv); }; filter f_syslog { not facility(auth, authpriv, news, mail) and not level(debug) and not host("^(windows|esx[0-9]*|term[0-9])") and not (host("^(api|web)[ab][0-9][0-9][0-9]") and program("apache2")) and not (host("^dbsrv") and program("postgres")); }; filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail) and not ( message("connect from localhost") or message("lost connection after CONNECT from localhost") or message("disconnect from localhost") ); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; filter f_news { facility(news); }; filter f_debug { not facility(auth, authpriv, news, mail, local6, local7); }; filter f_messages { level(info .. warn) and not facility(auth, authpriv, cron, daemon, mail, news, local6, local7); }; filter f_emergency { level(emerg); }; filter f_info { level(info); }; filter f_notice { level(notice); }; filter f_warn { level(warn); }; filter f_crit { level(crit); }; filter f_err { level(err); }; filter f_cnews { level(notice, err, crit) and facility(news); }; filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); }; filter f_not_cust { not facility(local1) and not facility(local2) and not facility(local3); }; filter f_cust_apache { host("^(api|web)[ab][0-9][0-9][0-9]") and program("apache2"); }; filter f_cust_postgres { host("^dbsrv") and program("postgres"); }; filter f_all { level(debug .. err); }; log { source(localsrc); source(remotesrc); filter(f_authpriv); destination(authlog); }; log { source(localsrc); source(remotesrc); filter(f_syslog); destination(syslogfile); }; #log { source(localsrc); source(remotesrc); filter(f_cron); destination(cron); }; log { source(localsrc); source(remotesrc); filter(f_daemon); destination(daemon); }; log { source(localsrc); source(remotesrc); filter(f_kern); destination(kern); }; log { source(localsrc); source(remotesrc); filter(f_lpr); destination(lpr); }; log { source(localsrc); source(remotesrc); filter(f_mail); destination(mail); }; log { source(localsrc); source(remotesrc); filter(f_user); destination(user); }; log { source(localsrc); source(remotesrc); filter(f_uucp); destination(uucp); }; log { source(localsrc); source(remotesrc); filter(f_mail); filter(f_info); destination(mailinfo); }; log { source(localsrc); source(remotesrc); filter(f_mail); filter(f_warn); destination(mailwarn); }; log { source(localsrc); source(remotesrc); filter(f_mail); filter(f_err); destination(mailerr); }; log { source(localsrc); source(remotesrc); filter(f_news); filter(f_crit); destination(newscrit); }; log { source(localsrc); source(remotesrc); filter(f_news); filter(f_err); destination(newserr); }; log { source(localsrc); source(remotesrc); filter(f_news); filter(f_notice); destination(newsnotice); }; log { source(localsrc); source(remotesrc); filter(f_debug); filter(f_not_cust); destination(debug); }; log { source(localsrc); source(remotesrc); filter(f_messages); filter(f_not_cust); destination(messages); }; log { source(localsrc); source(remotesrc); filter(f_emergency); filter(f_not_cust); destination(console); }; log { source(localsrc); source(remotesrc); filter(f_switches); destination(switches); }; log { source(localsrc); source(remotesrc); filter(f_term); destination(term); }; log { source(localsrc); source(remotesrc); filter(f_esx); destination(d_by_host); }; log { source(localsrc); source(remotesrc); filter(f_nt); destination(nt); }; # by-host log file log { source(localsrc); source(remotesrc); destination(d_by_host); }; log { source(localsrc); source(remotesrc); filter(f_cust_apache); destination(cust_apache); }; log { source(localsrc); source(remotesrc); filter(f_cust_postgres); destination(cust_postgres); }; log { source(localsrc); filter(f_all); destination(d_sam02); } ; log { source(localsrc); filter(f_all); destination(d_sam01); } ; # Graylog2 destination d_graylog2 { udp("192.0.2.91" port(514) spoof_source(yes)); }; # cust Logging destinations destination d_cust_dev { file("/var/log/cust/dev.log" owner("root") group("users") perm(0640)); }; destination d_cust_test { file("/var/log/cust/test.log" owner("root") group("users") perm(0640)); }; destination d_cust_hotfix { file("/var/log/cust/hotfixtest.log" owner("root") group("users") perm(0640)); }; destination d_cust_prod { file("/var/log/cust/prod.log" owner("root") group("azprodlog") perm(0640)); }; # cust Postgresql destinations (different access groups) destination d_cust_db_azprodlog { file("/var/log/cust/postgresql/$PROGRAM.log" owner("root") group("custprodlog") perm(0640)); }; destination d_cust_db_other { file("/var/log/cust/postgresql/$PROGRAM-other.log" owner("root") group("users") perm(0640)); }; destination d_cust_mail { file("/var/log/cust/mail.log" owner("root") group("users") perm(0640)); }; destination d_cust_all { file("/var/log/cust-adm/all.log" owner("root") group("adm") perm(0640)); }; # cust filter filter f_cust_mail { host(mail01) or host(mail02); }; filter f_cust_hotfix { facility(local4) and not program("postgres"); }; filter f_cust_dev { facility(local3) and not program("postgres"); }; filter f_cust_test { facility(local2) and not program("postgres"); }; filter f_cust_prod { facility(local1) and not program("postgres"); }; filter f_cust_dbdev { facility(local3) and program("postgres"); }; filter f_cust_dbtest { facility(local2) and program("postgres"); }; filter f_cust_dbprod { facility(local1) and program("postgres"); }; # filter uninteresting and lengthy postgres log messages filter f_cust_interesting { level(notice .. emerg) or not program("postgres"); }; # cust logs log { source(remotesrc); filter(f_cust_dev); destination(d_cust_dev); }; log { source(remotesrc); filter(f_cust_test); destination(d_cust_test); }; log { source(remotesrc); filter(f_cust_hotfix); destination(d_cust_hotfix); }; log { source(remotesrc); filter(f_cust_prod); destination(d_cust_prod); destination(d_graylog2); }; log { source(remotesrc); filter(f_cust_dbtest); destination(d_cust_db_other); }; log { source(remotesrc); filter(f_cust_dbprod); destination(d_cust_db_azprodlog); }; log { source(remotesrc); filter(f_mail); filter(f_cust_mail); destination(d_cust_mail); destination(d_graylog2); }; log { source(remotesrc); filter(f_cust_interesting); destination(d_cust_all); };