<p dir="ltr">Syslog-ng has an option to stop processing a message, if it matches a given rule. You can send the log message to a file, and then stop processing it (so it will not be written to any more files). I don't recall the correct syntax, but it's in the man pages. Then just put the rule for /var/log/messages at the end of your config file. </p>
<p dir="ltr">I use the stop rule processing to send junk I never want see to /dev/null. Works well.</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Sep 9, 2016 8:24 PM, "Rick Hornsby" <<a href="mailto:richardjhornsby@gmail.com">richardjhornsby@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br></div><div><br>On Sep 9, 2016, at 17:43, Brian <<a href="mailto:bnmille@gmail.com" target="_blank">bnmille@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><p dir="ltr">Well, this might not get you everything you want, but I would think about having a short syslog-ng.conf file, which would have an "include" line to look into /etc/syslog-ng.d/ for individual log file configurations. So you would completely remove any reference to /var/log/messages. There wouldn't me any need for a "not" directive.</p></div></blockquote><div>That would work if there was some way to allow /var/log/messages to be the fallback for anything that didn't match a previous rule sending the message to another file. It might be possible, but I haven't figured out how?</div><div><br></div><div>There's a crapton of otherwise uncategorized, unhandled stuff that comes in from various services including things we haven't explicitly planned for because we don't know about them yet. That stuff still needs to land in /var/log/messages.</div><div><br></div><div><br></div><br><blockquote type="cite"><div>
<div class="gmail_extra"><br><div class="gmail_quote">On Sep 9, 2016 12:06 PM, "Rick Hornsby" <<a href="mailto:richardjhornsby@gmail.com" target="_blank">richardjhornsby@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Having some trouble figuring out how to configure syslog-ng. We want<br>
to use .d files, but we also want to make sure the logs we say in<br>
those .d files "go to /var/log/some-app.log", aren't also going to<br>
/var/log/messages.<br>
<br>
One approach is to use .d files to write the source, destination, and<br>
log{} blocks for 'some-app' into conf.d/some-app.conf, and put "not"<br>
filters in the main syslog-ng.conf for the same. That approach isn't<br>
scalable, and is difficult to work with in Puppet, because it means<br>
trying to figure out how write a conf.d file (easy, clean) and<br>
re-write syslog-ng.conf (hard, messy) for every application that needs<br>
it.<br>
<br>
I was looking at tags, which might work. Each .d file could use a<br>
rewrite rule to tag its own logs with 'dont-write-me-to-messages'. In<br>
syslog-ng.conf, we would just have to use a single filter for "not<br>
tag('dont-write-me-to-messages<wbr>')". The idea is to keep syslog-ng.conf<br>
as consistent across the fleet and as clean as possible, and delegate<br>
to .d files.<br>
<br>
syslog-ng's docs are not helping. I can't seem to figure out a way to<br>
add a tag conditionally.<br>
<br>
"Tags can be also added and deleted using rewrite rules. For details,<br>
see section 11.2.7[1]"<br>
<br>
Section 11.2.6 talks about conditional rewrites, but the next page<br>
11.2.7 regarding tagging is basically useless. It's as if the whole<br>
idea of a rewrite, with rules and conditions, doesn't exist for tags?<br>
If you try to do, for example<br>
<br>
set-tag('ignore', condition(program('puppet-agen<wbr>t')));<br>
<br>
The syntax parser complains that condition is an unexpected keyword.<br>
<br>
Am I doing something wrong with the tags? Is there another approach I'm missing?<br>
<br>
thanks!<br>
<br>
<br>
<br>
[1] <a href="https://www.balabit.com/documents/syslog-ng-ose-3.8-guides/en/syslog-ng-ose-guide-admin/html/rewrite-tags.html" rel="noreferrer" target="_blank">https://www.balabit.com/docume<wbr>nts/syslog-ng-ose-3.8-guides/<wbr>en/syslog-ng-ose-guide-admin/<wbr>html/rewrite-tags.html</a>.<br>
______________________________<wbr>_________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net" target="_blank">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" rel="noreferrer" target="_blank">http://lists.colug.net/mailman<wbr>/listinfo/colug-432</a><br>
</blockquote></div></div>
</div></blockquote><blockquote type="cite"><div><span>______________________________<wbr>_________________</span><br><span>colug-432 mailing list</span><br><span><a href="mailto:colug-432@colug.net" target="_blank">colug-432@colug.net</a></span><br><span><a href="http://lists.colug.net/mailman/listinfo/colug-432" target="_blank">http://lists.colug.net/<wbr>mailman/listinfo/colug-432</a></span><br></div></blockquote></div><br>______________________________<wbr>_________________<br>
colug-432 mailing list<br>
<a href="mailto:colug-432@colug.net">colug-432@colug.net</a><br>
<a href="http://lists.colug.net/mailman/listinfo/colug-432" rel="noreferrer" target="_blank">http://lists.colug.net/<wbr>mailman/listinfo/colug-432</a><br>
<br></blockquote></div></div>