我让远程 nginx 系统日志同时发送到我的 syslog-ng 服务器上的 /var/log/nginx 和 /var/log/splunk。我怎样才能只让其发送到 /var/log/nginx?
#/etc/syslog-ng/syslog-ng.conf
source s_sys {
system();
internal();
udp(ip(0.0.0.0) port(514));
};
destination d_splunk { file("/var/log/splunk/$HOST-$PROGRAM-$YEAR-$MONTH-$DAY.log"); };
destination d_nginx { file("/var/log/nginx/$HOST-$PROGRAM-$YEAR-$MONTH-$DAY.log"); };
filter f_nginx { program(nginx); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
or facility(cron)); };
log { source(s_sys); filter(f_nginx); destination(d_nginx); };
log { source(s_sys); destination(d_splunk); };
答案1
在 nginx 日志路径中使用“final”标志:
log { source(s_sys); filter(f_nginx); destination(d_nginx); flags(final); };