[colug-432] syslog-ng: redirecting away from /var/log/messages

[Rick Hornsby]

Having some trouble figuring out how to configure syslog-ng. We want
to use .d files, but we also want to make sure the logs we say in
those .d files "go to /var/log/some-app.log", aren't also going to
/var/log/messages.

One approach is to use .d files to write the source, destination, and
log{} blocks for 'some-app' into conf.d/some-app.conf, and put "not"
filters in the main syslog-ng.conf for the same. That approach isn't
scalable, and is difficult to work with in Puppet, because it means
trying to figure out how write a conf.d file (easy, clean) and
re-write syslog-ng.conf (hard, messy) for every application that needs
it.

I was looking at tags, which might work. Each .d file could use a
rewrite rule to tag its own logs with 'dont-write-me-to-messages'. In
syslog-ng.conf, we would just have to use a single filter for "not
tag('dont-write-me-to-messages')". The idea is to keep syslog-ng.conf
as consistent across the fleet and as clean as possible, and delegate
to .d files.

syslog-ng's docs are not helping. I can't seem to figure out a way to
add a tag conditionally.

"Tags can be also added and deleted using rewrite rules. For details,
see section 11.2.7[1]"

Section 11.2.6 talks about conditional rewrites, but the next page
11.2.7 regarding tagging is basically useless. It's as if the whole
idea of a rewrite, with rules and conditions, doesn't exist for tags?
If you try to do, for example

	set-tag('ignore', condition(program('puppet-agent')));

The syntax parser complains that condition is an unexpected keyword.

Am I doing something wrong with the tags? Is there another approach I'm missing?

thanks!



[1] https://www.balabit.com/documents/syslog-ng-ose-3.8-guides/en/syslog-ng-ose-guide-admin/html/rewrite-tags.html.