How to stop duplicate syslog messages

[rudyonline]

I have a couple of truenas servers, that are acting a little different with syslog messages. Server 1 sends duplicate syslog messages to graylog, Server 2 sends 1 message to graylog.
Server 1 was upgraded from 11.x, to 12.0U-7. It has syslog messages going to "messages" and "console.log"
Server 2 was installed directly with 12.0U-8. It has syslog messages only going to "messages".
I've looked at the 2 servers side-by-side and don't see anything obviously different.

My question is how can I stop messages from going to the console log, for Server 1? Especially for SMB audit logging.

 

[jgreco]

Your description doesn't sound like duplicate. That sounds like it's configured to send the log messages to two places. That is not duplicate, that's multiple destination.

Are you seeing the same message repeated within a single file (i.e. actual duplicate)?

FreeNAS and TrueNAS both use syslog-ng and you can compare the config files at /usr/local/etc/syslog-ng.conf on each host.

The directive

destination consolelog { file("/var/log/console.log"); };

tells syslog-ng about the console.log file, and the only thing that uses this target is

log { source(src); filter(f_console); filter(f_info); destination(consolelog); };

If your system is logging stuff to the system /dev/console, I would expect it to end up in /var/log/console.log. Plug in a VGA monitor and check. If so, nothing's technically wrong with the logging system, and you then need to figure out why stuff is ending up on /dev/console. This is the big "fork in the (debugging) road" that you need to determine to know where to look next.

 

[rudyonline]

Yes, you are correct, it is writing 1 message to both the messages file, and 1 to console.log. So it is a repeat issue. When that gets sent to our graylog logging server, they show as duplicated on our remote graylog servers.

The logs in question are for samba, using full_audit:
full_audit:facility = local5
full_audit:priority = info
full_audit:failure = connect
full_audit:success = open mkdir unlink rmdir rename read pread write pwrite sendfile lock
vfs objects = streams_xattr shadow_copy_zfs ixnas full_audit

I've tried changing some of these, but doesn't seem to change logging. It's getting sent to console from something else.

I rechecked server 2, and it is doing the same thing as server 1, so it's not an issue with upgrading.
I'm at a loss. I don't know how to tell freebsd or truenas how to stop logging messages at both locations.

 

[jgreco]

So, again, is it actually showing up on the physical VGA console on the one server? This is really the critical bit, because if some process is logging it onto the console, then syslog-ng is doing the correct thing by recording that, whereas if it is not, then it shouldn't be getting logged. This is an important determining factor in where to look next. Randomly changing things and hoping for a different result is less likely to arrive at a solution.

 

[rudyonline]

I think I got it working now.
full_audit:facility = local5 # was the issue
Changed it to
full_audit:facility = local7

Still don't know what the difference is, but it stopped it from writing

 

[rudyonline]

I should be able to plug a monitor into those servers next week, to see if it is actually writing to the console. Thanks for your help.