Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Is there any way to avoid syslog-ng duplicate data...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way to avoid syslog-ng duplicate data?
I have syslog-ng configuration that started duplicating the events after the Linux box reboot
is there any way to avoid it ?
the are 2 heavy forwarders defined for the same load balancer and only 1 is duplicating the events in the syslog files created
[root@ilissplfwd07 syslog-ng]# cat syslog-ng.conf
@version:3.5
@include "scl.conf"
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
# located in /etc/syslog-ng/conf.d/
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
owner("splunk");
group("splunk");
dir-owner("splunk");
dir-group("splunk");
create_dirs (yes);
keep_hostname (yes);
};
## add Default 514 udp/tcp & Filtered based don't modify below line #############################################
# Syslog 514
#source s_syslog { udp(port(514)); tcp(port(514) keep-alive(yes)); };
source s_syslog518 { udp(port(518)); };
source s_syslog1513 { tcp(port(1513) keep-alive(yes)); };
source s_syslog1514 { tcp(port(1514) keep-alive(yes)); };
source s_syslog1515 { tcp(port(1515) keep-alive(yes)); };
source s_syslog1516 { tcp(port(1516) keep-alive(yes)); };
destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};
log { source(s_syslog1513); destination(d_1513); };
destination d_1514 { file("/splunksyslog/port1514/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};
log { source(s_syslog1514); destination(d_1514); };
destination d_1515 { file("/splunksyslog/port1515/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};
log { source(s_syslog1515); destination(d_1515); };
destination d_1516 { file("/splunksyslog/port1516/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};
log { source(s_syslog1516); destination(d_1516); };
# destination d_catch { file("/splunksyslog/catch/$HOST/$YEAR-$MONTH-$DAY-$HOUR-catch.log");};
# log { source(s_syslog); destination(d_catch); };
destination d_518 { file("/splunksyslog/port518/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};
log { source(s_syslog518); destination(d_518); };
@include "/etc/syslog-ng/conf.d/*.conf"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
