FYI, I have verified and tested, on solaris, imsolaris captures both kernel logging and local system logging, e.g via logger command. Looks like the imklog module is not needed. With imklog module loaded, it will generate duplicated messages.
Thanks Victor -----Original Message----- From: Lu, Victor [CCC-OT_IT] Sent: Monday, September 26, 2011 1:25 PM To: rsyslog-users Subject: RE: [rsyslog] Duplicated messages on Solaris Hi Rainer, Thanks for quick response. For product version, I am using the latest stable version 5.8.5. Could you let me know which version fixed timestamp issue and how the message look like after the fix. The following is what you posted on the web site. Is this because of special kernel input device that produced duplicated message? Any suggestions to have the same behavior like what we have on Linux? Website http://www.rsyslog.com/doc/imsolaris.html Solaris Input Module Module Name: imsolaris Author: Rainer Gerhards <[email protected]> Description: Reads local Solaris log messages including the kernel log. This module is specifically tailored for Solaris. Under Solaris, there is no special kernel input device. Instead, both kernel messages as well as messages emitted via syslog() are received from a single source. This module obeys the Solaris door() mechanism to detect a running syslogd instance. As such, only one can be active at one time. If it detects another active intance at startup, the module disables itself, but rsyslog will continue to run. Configuration Directives: $IMSolarisLogSocketName <name> This is the name of the log socket (stream) to read. If not given, /dev/log is read. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rainer Gerhards Sent: Monday, September 26, 2011 12:55 PM To: rsyslog-users Subject: Re: [rsyslog] Duplicated messages on Solaris Mhhh... I have no idea why Solaris' logger writes to both locations. But I also don't see how I should tell which one to drop... As of the timestamps: are you sure you use the newest version of the branch in question? I remember that I recently fixed something in that regard. Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Lu, Victor > Sent: Monday, September 26, 2011 6:19 PM > To: [email protected] > Subject: [rsyslog] Duplicated messages on Solaris > > On Solaris, > > > 1) If I use both $Modload ImkLog and $Modload imsolaris, > > A logger command will always generate message twice. > 2011-09-26T11:08:46-04:00 i8-420-02 test: [ID 702911 > user.notice] This is a test > 2011-09-26T11:08:46.962612-04:00 i8-420-02 kernel: Sep 26 > 11:08:46 test: [ID 702911 user.notice] This is a test > > su command will return only one message. > 2011-09-26T12:08:21.643321-04:00 i8-420-02 kernel: Sep 26 > 12:08:21 su: [ID 366847 auth.info] 'su root' succeeded for vl10243 on > /dev/pts/4 > > > 2) If I use $Modload imklog only, the logger command will return > only one message. > > 2011-09-26T12:02:20.667780-04:00 i8-420-02 kernel: Sep 26 > 12:02:20 test: [ID 702911 user.notice] this is a test > > su command will return only one message. > > 2011-09-26T12:02:47.700657-04:00 i8-420-02 kernel: Sep 26 > 12:02:47 su: [ID 366847 auth.info] 'su root' succeeded for vl10243 on > /dev/pts/4 > > > 3) If I use $Modload imsolaris only > > The logger command will return the following message. > > 2011-09-26T12:06:01-04:00 i8-420-02 test: [ID 702911 > user.notice] this is a test > > su command will not return any message. > > I only need one message to be generated in the system log (same on > Linux), not duplicated. > > It looks like I can use imklog module alone to capture both kernel and > logger command message. But I am not sure if I still could miss other > type of system events without using imsolaris module. > > For the kernel message generated, I don't like duplicated time stamp > > For example, the following event, > 2011-09-26T12:02:20.667780-04:00 i8-420-02 kernel: Sep 26 12:02:20 > test: [ID 702911 user.notice] this is a test > > The timestamp after kernel: Sep 26 12:02:20 because I already have > the event time 2011-09-26T12:02:20.667780-04:00. > > Any suggestions? Anybody have a sample rsyslog.conf on Solaris to > share? > > Thanks > > Victor Lu > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
