Ordering log rules #11
Description
Hello,
we are using Saltstack with pillarstack, and we declare syslog-ng rules in multiple pillarstack files. One contains the basic configuration and others contains src/filter/dest/rule only when a specific 'service' is needed on the server.
So in our case, pillars are loaded in the following order (simplified): base pillars, service pillars. Some examples:
# base pillar with default configuration (simplified)
syslog_ng:
source:
- s_src:
- system: null
- internal: null
filter:
- f_syslog3:
- =not facility(auth, authpriv, mail) and not filter(f_debug)
destination:
- d_syslog:
- file:
- /var/log/syslog
log:
-
- source: =s_src
- filter: =f_syslog3
- destination: =d_syslog
# service pillar
syslog_ng:
destination:
- d_carbon:
- file:
- /var/log/carbon.log
filter:
- f_carbon:
- =program("carbon")
log:
-
- source: =s_src
- filter: =f_carbon
- destination: =d_carbon
- flags: =final
The objective is to send all carbon logs (filter f_carbon) to destination d_carbon and not in default destination /var/log/syslog, that's why we added the final flag.
Because the final pillar (concatenation of all pillar files) contains the base one first and the service one then, the syslog-ng configuration file /etc/syslog-ng/syslog-ng.conf contains first the rule to send all to /var/log/syslog and then the rule to send to /var/log/carbon.log. It does not work as wanted, but it's is expected because items in "log" pillar are ordered.
It could be interesting to have a way to order log rules, so that this setup can work with complex setups including multiple pillar files.