Mhhh... I have no idea why Solaris' logger writes to both locations. But I also don't see how I should tell which one to drop...
As of the timestamps: are you sure you use the newest version of the branch in question? I remember that I recently fixed something in that regard. Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Lu, Victor > Sent: Monday, September 26, 2011 6:19 PM > To: [email protected] > Subject: [rsyslog] Duplicated messages on Solaris > > On Solaris, > > > 1) If I use both $Modload ImkLog and $Modload imsolaris, > > A logger command will always generate message twice. > 2011-09-26T11:08:46-04:00 i8-420-02 test: [ID 702911 > user.notice] This is a test > 2011-09-26T11:08:46.962612-04:00 i8-420-02 kernel: Sep 26 > 11:08:46 test: [ID 702911 user.notice] This is a test > > su command will return only one message. > 2011-09-26T12:08:21.643321-04:00 i8-420-02 kernel: Sep 26 > 12:08:21 su: [ID 366847 auth.info] 'su root' succeeded for vl10243 on > /dev/pts/4 > > > 2) If I use $Modload imklog only, the logger command will return > only one message. > > 2011-09-26T12:02:20.667780-04:00 i8-420-02 kernel: Sep 26 > 12:02:20 test: [ID 702911 user.notice] this is a test > > su command will return only one message. > > 2011-09-26T12:02:47.700657-04:00 i8-420-02 kernel: Sep 26 > 12:02:47 su: [ID 366847 auth.info] 'su root' succeeded for vl10243 on > /dev/pts/4 > > > 3) If I use $Modload imsolaris only > > The logger command will return the following message. > > 2011-09-26T12:06:01-04:00 i8-420-02 test: [ID 702911 > user.notice] this is a test > > su command will not return any message. > > I only need one message to be generated in the system log (same on > Linux), not duplicated. > > It looks like I can use imklog module alone to capture both kernel and > logger command message. But I am not sure if I still could miss other > type of system events without using imsolaris module. > > For the kernel message generated, I don't like duplicated time stamp > > For example, the following event, > 2011-09-26T12:02:20.667780-04:00 i8-420-02 kernel: Sep 26 12:02:20 > test: [ID 702911 user.notice] this is a test > > The timestamp after kernel: Sep 26 12:02:20 because I already have > the event time 2011-09-26T12:02:20.667780-04:00. > > Any suggestions? Anybody have a sample rsyslog.conf on Solaris to > share? > > Thanks > > Victor Lu > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
