Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there any way to avoid syslog-ng duplicate data?

rayar
Contributor
‎07-04-2022 10:58 PM

I have syslog-ng configuration that started duplicating the events after the Linux box reboot 

is there any way to avoid it  ?

the are 2 heavy forwarders defined for the same load balancer and only 1 is duplicating the events in the syslog files created 

 

[root@ilissplfwd07 syslog-ng]# cat syslog-ng.conf
@version:3.5
@include "scl.conf"


# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
# located in /etc/syslog-ng/conf.d/


options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
owner("splunk");
group("splunk");
dir-owner("splunk");
dir-group("splunk");
create_dirs (yes);
keep_hostname (yes);
};

 

 


## add Default 514 udp/tcp & Filtered based don't modify below line #############################################
# Syslog 514
#source s_syslog { udp(port(514)); tcp(port(514) keep-alive(yes)); };
source s_syslog518 { udp(port(518)); };
source s_syslog1513 { tcp(port(1513) keep-alive(yes)); };
source s_syslog1514 { tcp(port(1514) keep-alive(yes)); };
source s_syslog1515 { tcp(port(1515) keep-alive(yes)); };
source s_syslog1516 { tcp(port(1516) keep-alive(yes)); };

destination d_1513 { file("/splunksyslog/port1513/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};

log { source(s_syslog1513); destination(d_1513); };

 

destination d_1514 { file("/splunksyslog/port1514/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};

log { source(s_syslog1514); destination(d_1514); };

 

destination d_1515 { file("/splunksyslog/port1515/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};

log { source(s_syslog1515); destination(d_1515); };

 

destination d_1516 { file("/splunksyslog/port1516/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};

log { source(s_syslog1516); destination(d_1516); };

 

# destination d_catch { file("/splunksyslog/catch/$HOST/$YEAR-$MONTH-$DAY-$HOUR-catch.log");};

# log { source(s_syslog); destination(d_catch); };

 

destination d_518 { file("/splunksyslog/port518/$HOST/syslog_$FACILITY_$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 1).log");};

log { source(s_syslog518); destination(d_518); };
@include "/etc/syslog-ng/conf.d/*.conf"

 

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...