Re: [rsyslog] Duplicated kernel messages

Tue, 11 Oct 2011 14:45:12 -0700 

On Tue, 11 Oct 2011, Lu, Victor  wrote:


Hi there,

The following message is on Solaris 10 platform.   When I do a su, the messages 
from kernel always come. I did not see that message when I use syslog daemon. 
Is this a normal behavior in rsyslog? Is there something to do in compilation 
because I did not see it on RHEL?


2011-10-11T16:35:21-04:00 h8-420r-01 su: [ID 805675 auth.notice] User : root  
Service : su  TTY : /dev/pts/2  Remote Host : N/A  Remote User : N/A  Status : 
AUTHENTICATED
2011-10-11T16:35:21.179019-04:00 h8-420r-01 kernel: Oct 11 16:35:21 su: [ID 
805675 auth.notice] User : root  Service : su  TTY : /dev/pts/2  Remote Host : 
N/A  Remote User : N/A  Status : AUTHENTICATED
2011-10-11T16:35:21-04:00 h8-420r-01 su: [ID 366847 auth.notice] 'su root' 
succeeded for vl10243 on /dev/pts/2
2011-10-11T16:35:21.182744-04:00 h8-420r-01 kernel: Oct 11 16:35:21 su: [ID 
366847 auth.notice] 'su root' succeeded for vl10243 on /dev/pts/2

2011-10-11T16:36:39.450123-04:00 h8-420r-01 kernel: Oct 11 16:36:39 su: [ID 
805675 auth.notice] User : root  Service : su  TTY : /dev/pts/2  Remote Host : 
N/A  Remote User : N/A  Status : AUTHENTICATED
2011-10-11T16:36:39-04:00 h8-420r-01 su: [ID 805675 auth.notice] User : root  
Service : su  TTY : /dev/pts/2  Remote Host : N/A  Remote User : N/A  Status : 
AUTHENTICATED
2011-10-11T16:36:39-04:00 h8-420r-01 su: [ID 366847 auth.notice] 'su root' 
succeeded for vl10243 on /dev/pts/2
2011-10-11T16:36:39.454056-04:00 h8-420r-01 kernel: Oct 11 16:36:39 su: [ID 
366847 auth.notice] 'su root' succeeded for vl10243 on /dev/pts/2
it looks to me like the log message is probably being delivered to rsyslog twice. There is a property that you can put into a template that indicates how the log message got to rsyslog ( I don't remember it's name right now), I would suggest creating a custom template that includes this and then see how the logs are arriving.
the other possibility is that you may have two rules in your rsyslog.conf file that are both matching this, but if that was the case I would expect the duplicate lines next to each other (but it's possible that the batch processing of log messages would produce the result you are seeing) 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Reply via email to