On Tue, 11 Oct 2011, Lu, Victor wrote:
Hi there,
The following message is on Solaris 10 platform. When I do a su, the messages
from kernel always come. I did not see that message when I use syslog daemon.
Is this a normal behavior in rsyslog? Is there something to do in compilation
because I did not see it on RHEL?
2011-10-11T16:35:21-04:00 h8-420r-01 su: [ID 805675 auth.notice] User : root
Service : su TTY : /dev/pts/2 Remote Host : N/A Remote User : N/A Status :
AUTHENTICATED
2011-10-11T16:35:21.179019-04:00 h8-420r-01 kernel: Oct 11 16:35:21 su: [ID
805675 auth.notice] User : root Service : su TTY : /dev/pts/2 Remote Host :
N/A Remote User : N/A Status : AUTHENTICATED
2011-10-11T16:35:21-04:00 h8-420r-01 su: [ID 366847 auth.notice] 'su root'
succeeded for vl10243 on /dev/pts/2
2011-10-11T16:35:21.182744-04:00 h8-420r-01 kernel: Oct 11 16:35:21 su: [ID
366847 auth.notice] 'su root' succeeded for vl10243 on /dev/pts/2
2011-10-11T16:36:39.450123-04:00 h8-420r-01 kernel: Oct 11 16:36:39 su: [ID
805675 auth.notice] User : root Service : su TTY : /dev/pts/2 Remote Host :
N/A Remote User : N/A Status : AUTHENTICATED
2011-10-11T16:36:39-04:00 h8-420r-01 su: [ID 805675 auth.notice] User : root
Service : su TTY : /dev/pts/2 Remote Host : N/A Remote User : N/A Status :
AUTHENTICATED
2011-10-11T16:36:39-04:00 h8-420r-01 su: [ID 366847 auth.notice] 'su root'
succeeded for vl10243 on /dev/pts/2
2011-10-11T16:36:39.454056-04:00 h8-420r-01 kernel: Oct 11 16:36:39 su: [ID
366847 auth.notice] 'su root' succeeded for vl10243 on /dev/pts/2
it looks to me like the log message is probably being delivered to rsyslog
twice. There is a property that you can put into a template that indicates
how the log message got to rsyslog ( I don't remember it's name right
now), I would suggest creating a custom template that includes this and
then see how the logs are arriving.
the other possibility is that you may have two rules in your rsyslog.conf
file that are both matching this, but if that was the case I would expect
the duplicate lines next to each other (but it's possible that the batch
processing of log messages would produce the result you are seeing)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com