0

I am working on a project to update syslog.conf files in our unix environment.

I discovered that many have duplicate entries. I don't know which will work or will they all work. Here are the existing entries.

auth.debug @10.X.XXXX.XX auth.debug @arl-syslog.XXXXXX.net

I am to add the following

auth., authpriv.    @arl-syslog.XXXXXX.net

What will happen with the existing entries if I add the last one? Will the first one still work? Will the second become redundant because of the one I add?

Thank you.

CharlieB
  • 19
  • 1
  • 6

1 Answers1

0

All entries are always evaluated, so both of your entries will be be effective.

The trouble is that your second entry is not really useful, since the priority field is not specified. I did not find any explicit mention of this case in the docs.

I have tested this with rsyslogd vers. 8.6 and when you do not specify the priority field it does not affect the logging for that facility.

E.g.:

authpriv.info   /var/log/auth.log;SyslFormat
authpriv.       /var/log/auth.log;SyslFormat

Messages for authpriv at level info and above will be logged to /var/log/auth.log.

authpriv.info   /var/log/auth.log;SyslFormat
authpriv.*      /var/log/auth.log;SyslFormat

Messages for authpriv at all levels will be logged to /var/log/auth.log.

authpriv.info   /var/log/auth.log;SyslFormat
authpriv.none   /var/log/auth.log;SyslFormat

No authpriv messages will be logged to /var/log/auth.log.

Also note this:

authpriv.info   /var/log/auth.log;SyslFormat
authpriv.*      /var/log/auth-copy.log;SyslFormat

Messages for authpriv at level info and above will be logged to /var/log/auth.log, and messages for authpriv at all levels will be logged to /var/log/auth-copy.log. So you get duplicated info and above messages.

authpriv.info   /var/log/auth.log;SyslFormat
authpriv.       /var/log/auth-copy.log;SyslFormat

Nothing is logged to /var/log/auth-copy.log.

user9645
  • 6,286
  • 6
  • 29
  • 43