[colug-432] syslog-ng: redirecting away from /var/log/messages

Rick Hornsby richardjhornsby at gmail.com
Fri Sep 9 20:22:15 EDT 2016



> On Sep 9, 2016, at 17:43, Brian <bnmille at gmail.com> wrote:
> 
> Well, this might not get you everything you want, but I would think about having a short syslog-ng.conf file, which would have an "include" line to look into /etc/syslog-ng.d/ for individual log file configurations.  So you would completely remove any reference to /var/log/messages.  There wouldn't me any need for a "not" directive.
> 
That would work if there was some way to allow /var/log/messages to be the fallback for anything that didn't match a previous rule sending the message to another file. It might be possible, but I haven't figured out how?

There's a crapton of otherwise uncategorized, unhandled stuff that comes in from various services including things we haven't explicitly planned for because we don't know about them yet. That stuff still needs to land in /var/log/messages.



> 
>> On Sep 9, 2016 12:06 PM, "Rick Hornsby" <richardjhornsby at gmail.com> wrote:
>> Having some trouble figuring out how to configure syslog-ng. We want
>> to use .d files, but we also want to make sure the logs we say in
>> those .d files "go to /var/log/some-app.log", aren't also going to
>> /var/log/messages.
>> 
>> One approach is to use .d files to write the source, destination, and
>> log{} blocks for 'some-app' into conf.d/some-app.conf, and put "not"
>> filters in the main syslog-ng.conf for the same. That approach isn't
>> scalable, and is difficult to work with in Puppet, because it means
>> trying to figure out how write a conf.d file (easy, clean) and
>> re-write syslog-ng.conf (hard, messy) for every application that needs
>> it.
>> 
>> I was looking at tags, which might work. Each .d file could use a
>> rewrite rule to tag its own logs with 'dont-write-me-to-messages'. In
>> syslog-ng.conf, we would just have to use a single filter for "not
>> tag('dont-write-me-to-messages')". The idea is to keep syslog-ng.conf
>> as consistent across the fleet and as clean as possible, and delegate
>> to .d files.
>> 
>> syslog-ng's docs are not helping. I can't seem to figure out a way to
>> add a tag conditionally.
>> 
>> "Tags can be also added and deleted using rewrite rules. For details,
>> see section 11.2.7[1]"
>> 
>> Section 11.2.6 talks about conditional rewrites, but the next page
>> 11.2.7 regarding tagging is basically useless. It's as if the whole
>> idea of a rewrite, with rules and conditions, doesn't exist for tags?
>> If you try to do, for example
>> 
>>         set-tag('ignore', condition(program('puppet-agent')));
>> 
>> The syntax parser complains that condition is an unexpected keyword.
>> 
>> Am I doing something wrong with the tags? Is there another approach I'm missing?
>> 
>> thanks!
>> 
>> 
>> 
>> [1] https://www.balabit.com/documents/syslog-ng-ose-3.8-guides/en/syslog-ng-ose-guide-admin/html/rewrite-tags.html.
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20160909/133a9125/attachment.html 


More information about the colug-432 mailing list