[colug-432] syslog-ng: redirecting away from /var/log/messages

Brian bnmille at gmail.com
Sat Sep 10 11:05:02 EDT 2016


Syslog-ng has an option to stop processing a message, if it matches a given
rule.  You can send the log message to a file, and then stop processing it
(so it will not be written to  any more files).  I don't recall the correct
syntax, but it's in the man pages.  Then just put the rule for
/var/log/messages at the end of your config file.

I use the stop rule processing to send junk I never want see to /dev/null.
Works well.

On Sep 9, 2016 8:24 PM, "Rick Hornsby" <richardjhornsby at gmail.com> wrote:

>
>
> On Sep 9, 2016, at 17:43, Brian <bnmille at gmail.com> wrote:
>
> Well, this might not get you everything you want, but I would think about
> having a short syslog-ng.conf file, which would have an "include" line to
> look into /etc/syslog-ng.d/ for individual log file configurations.  So you
> would completely remove any reference to /var/log/messages.  There wouldn't
> me any need for a "not" directive.
>
> That would work if there was some way to allow /var/log/messages to be the
> fallback for anything that didn't match a previous rule sending the message
> to another file. It might be possible, but I haven't figured out how?
>
> There's a crapton of otherwise uncategorized, unhandled stuff that comes
> in from various services including things we haven't explicitly planned for
> because we don't know about them yet. That stuff still needs to land in
> /var/log/messages.
>
>
>
>
> On Sep 9, 2016 12:06 PM, "Rick Hornsby" <richardjhornsby at gmail.com> wrote:
>
>> Having some trouble figuring out how to configure syslog-ng. We want
>> to use .d files, but we also want to make sure the logs we say in
>> those .d files "go to /var/log/some-app.log", aren't also going to
>> /var/log/messages.
>>
>> One approach is to use .d files to write the source, destination, and
>> log{} blocks for 'some-app' into conf.d/some-app.conf, and put "not"
>> filters in the main syslog-ng.conf for the same. That approach isn't
>> scalable, and is difficult to work with in Puppet, because it means
>> trying to figure out how write a conf.d file (easy, clean) and
>> re-write syslog-ng.conf (hard, messy) for every application that needs
>> it.
>>
>> I was looking at tags, which might work. Each .d file could use a
>> rewrite rule to tag its own logs with 'dont-write-me-to-messages'. In
>> syslog-ng.conf, we would just have to use a single filter for "not
>> tag('dont-write-me-to-messages')". The idea is to keep syslog-ng.conf
>> as consistent across the fleet and as clean as possible, and delegate
>> to .d files.
>>
>> syslog-ng's docs are not helping. I can't seem to figure out a way to
>> add a tag conditionally.
>>
>> "Tags can be also added and deleted using rewrite rules. For details,
>> see section 11.2.7[1]"
>>
>> Section 11.2.6 talks about conditional rewrites, but the next page
>> 11.2.7 regarding tagging is basically useless. It's as if the whole
>> idea of a rewrite, with rules and conditions, doesn't exist for tags?
>> If you try to do, for example
>>
>>         set-tag('ignore', condition(program('puppet-agent')));
>>
>> The syntax parser complains that condition is an unexpected keyword.
>>
>> Am I doing something wrong with the tags? Is there another approach I'm
>> missing?
>>
>> thanks!
>>
>>
>>
>> [1] https://www.balabit.com/documents/syslog-ng-ose-3.8-guides/
>> en/syslog-ng-ose-guide-admin/html/rewrite-tags.html.
>> _______________________________________________
>> colug-432 mailing list
>> colug-432 at colug.net
>> http://lists.colug.net/mailman/listinfo/colug-432
>>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20160910/cebf361c/attachment-0001.html 


More information about the colug-432 mailing list