Log messages being duplicated

[tmcdonald]

I agree it has to do with the order, specifically which file has the "if $programname == 'tomcat' then ~" line present. That would prevent this from showing up in the normal syslog location which would be picked up and sent a second time. Currently your first one (the nagios.conf) is not discarding the message after sending, and your second (the rsyslog.conf) is. By placing nagios.conf after you are essentially skipping it.

Add: Normally we handle this by using numerals to control the order, such as "/etc/rsyslog.d/90-nagioslogserver_var_log_httpd_access_log.conf".

[bdgoecke]

The order does matter for rsyslog, the forwarder needs to be last. That is the way rsyslog works. I was able to verify this on my test machines, if I moved the nagios log server forward entry to the front/top of the list then I get duplicated messages.

When we configure our forwarder we put it at "99-nagioslogserver.conf" to try to be sure it is the last config processed.

Sorry for the confusion, we will try and document this better in the future.

[globalgiving]

Thanks all! Yeah, better documentation would have been great.

[cmerchant]

We'll go ahead and close this thread. Thanks.