David,
The message is from imklog module and the only difference for these two messages is that the second message added kernel and timestamp, e.g. kernel: Oct 11 16:35:21 in below message. 2011-10-11T16:35:21-04:00 h8-420r-01 su: [ID 805675 auth.notice] User : root Service : su TTY : /dev/pts/2 Remote Host : N/A Remote User : N/A Status : AUTHENTICATED 2011-10-11T16:35:21.179019-04:00 h8-420r-01 kernel: Oct 11 16:35:21 su: [ID 805675 auth.notice] User : root Service : su TTY : /dev/pts/2 Remote Host : N/A Remote User : N/A Status : AUTHENTICATED I am wondering if there is any option when we compile that imklog module to disable the second message. Thanks Victor -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Tuesday, October 11, 2011 5:45 PM To: rsyslog-users Subject: Re: [rsyslog] Duplicated kernel messages On Tue, 11 Oct 2011, Lu, Victor wrote: > Hi there, > > The following message is on Solaris 10 platform. When I do a su, the > messages from kernel always come. I did not see that message when I use > syslog daemon. Is this a normal behavior in rsyslog? Is there something to do > in compilation because I did not see it on RHEL? > > > 2011-10-11T16:35:21-04:00 h8-420r-01 su: [ID 805675 auth.notice] User : root > Service : su TTY : /dev/pts/2 Remote Host : N/A Remote User : N/A Status > : AUTHENTICATED > 2011-10-11T16:35:21.179019-04:00 h8-420r-01 kernel: Oct 11 16:35:21 su: [ID > 805675 auth.notice] User : root Service : su TTY : /dev/pts/2 Remote Host > : N/A Remote User : N/A Status : AUTHENTICATED > 2011-10-11T16:35:21-04:00 h8-420r-01 su: [ID 366847 auth.notice] 'su root' > succeeded for vl10243 on /dev/pts/2 > 2011-10-11T16:35:21.182744-04:00 h8-420r-01 kernel: Oct 11 16:35:21 su: [ID > 366847 auth.notice] 'su root' succeeded for vl10243 on /dev/pts/2 > > 2011-10-11T16:36:39.450123-04:00 h8-420r-01 kernel: Oct 11 16:36:39 su: [ID > 805675 auth.notice] User : root Service : su TTY : /dev/pts/2 Remote Host > : N/A Remote User : N/A Status : AUTHENTICATED > 2011-10-11T16:36:39-04:00 h8-420r-01 su: [ID 805675 auth.notice] User : root > Service : su TTY : /dev/pts/2 Remote Host : N/A Remote User : N/A Status > : AUTHENTICATED > 2011-10-11T16:36:39-04:00 h8-420r-01 su: [ID 366847 auth.notice] 'su root' > succeeded for vl10243 on /dev/pts/2 > 2011-10-11T16:36:39.454056-04:00 h8-420r-01 kernel: Oct 11 16:36:39 su: [ID > 366847 auth.notice] 'su root' succeeded for vl10243 on /dev/pts/2 > it looks to me like the log message is probably being delivered to rsyslog twice. There is a property that you can put into a template that indicates how the log message got to rsyslog ( I don't remember it's name right now), I would suggest creating a custom template that includes this and then see how the logs are arriving. the other possibility is that you may have two rules in your rsyslog.conf file that are both matching this, but if that was the case I would expect the duplicate lines next to each other (but it's possible that the batch processing of log messages would produce the result you are seeing) David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
