32

I set up haproxy logging via rsyslogd using the tips from this article, and everything seems to be working fine. The log files get the log messages.

However, every log message from haproxy also shows up at /var/log/syslog. This means that once the server goes live, the syslog will be quite useless, as it will be run over with haproxy log messages.

I would like to filter out those messages from /var/log/syslog. After going over the rsyslogd documentation, I tried to change the file /etc/rsyslog.d/50-default.conf thus:

*.*;auth,authpriv.none;haproxy.none     -/var/log/syslog

I simply added the ;haproxy.nonepart. After restarting rsyslogd it stopped working completely until I reverted my changes.

What am I doing wrong?

itsadok
  • 1,839
  • 5
  • 21
  • 33

5 Answers5

31

You could also do the following which will make it so they don't go in any other logs:

local0.*                        -/var/log/haproxy.log
& ~

The & ~ means not to put what matched in the above line anywhere else for the rest of the rules.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • Thanks. This does seem to make more sense than having to edit the main configuration. – itsadok Dec 21 '10 at 09:03
  • 14
    Worth noting that if you do this, your local0.* line *must* be processed before the "*.*" line in /etc/rsyslog.d/50-default.conf. I created a file called /etc/rsyslog.d/haproxy.conf to contain my haproxy-specific logging config, but it logged to syslog despite having a "& ~" at the end. This is because (of course) 50-default.conf is loaded before haproxy.conf so the catchall "*.*" was matched before my "local0.*" line. The solution was to rename my haproxy-specific file to /etc/rsyslog.d/49-haproxy.conf – Giles Thomas Nov 16 '12 at 15:57
  • 2
    FYI a small update `rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [try http://www.rsyslog.com/e/2307 ]` – KCD Apr 15 '15 at 04:04
  • This discusses the use of `& stop` instead of `& ~`: http://www.rsyslog.com/doc/v8-stable/compatibility/v7compatibility.html. – slm Aug 31 '15 at 17:44
14

The use of & ~ was deprecated in v7 of rsyslogd, and you're encouraged to use & stop instead. You can read more about it in this section of the v7compatibility page.

omruleset and discard (~) action are deprecated

Both continue to work, but have been replaced by better alternatives.

The discard action (tilde character) has been replaced by the “stop” RainerScript directive. It is considered more intuitive and offers slightly better performance.

The omruleset module has been replaced by the “call” RainerScript directive. Call permits to execute a ruleset like a subroutine, and does so with much higher performance than omruleset did. Note that omruleset could be run off an async queue. This was more a side than a desired effect and is not supported by the call statement. If that effect was needed, it can simply be simulated by running the called rulesets actions asynchronously (what in any case is the right way to handle this).

Note that the deprecated modules emit warning messages when being used. They tell that the construct is deprecated and which statement is to be used as replacement. This does not affect operations: both modules are still fully operational and will not be removed in the v7 timeframe.

So for HAProxy something like this instead:

$ more /etc/rsyslog.d/haproxy.conf
local2.*    /var/log/haproxy.log
& stop

As to how it works, the & stop tells rsyslogd to discard any additional messages that matched the previously matched rules up to this point. To guarantee that this rule is picked up early on, you can change the name of the file from /etc/rsyslog.d/haproxy.conf to /etc/rsyslog.d/00-haproxy.conf.

slm
  • 7,355
  • 16
  • 54
  • 72
3

Ok, I figured it out. This is what my /etc/rsyslog.d/20-haproxy.conf looks like:

$ModLoad imudp
$UDPServerRun 514

local0.* -/var/log/haproxy_0.log
local1.* -/var/log/haproxy_1.log

I changed the line in 50-default.conf to:

*.*;auth,authpriv,local0,local1.none     -/var/log/syslog

And now it seems to be doing what I want.

itsadok
  • 1,839
  • 5
  • 21
  • 33
  • 1
    It's generally preferable to NOT modify config files created by other packages as it creates upgrade/ownership problems. If this is a one-off snowflake server, fine whatever, but for automated deployments, modifying 50-default.conf is generally a "bad thing". – Bruce Edge Dec 20 '16 at 17:44
2

There is a better solution for haproxy logging.

  • HAproxy runs in chroot so it's can't access /dev/log

  • According to official manual rsyslog needs to be configured to listen to the network socket:

    # to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events.  This is done
#    by adding the '-r' option to the SYSLOGD_OPTIONS in
#    /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
#   file. A line like the following can be added to
#   /etc/sysconfig/syslog

But you can use only rsyslog sockets for that:

rsyslog.d/haproxy.conf:

    # HAproxy local socket
    $AddUnixListenSocket /var/lib/haproxy/dev/log
    :programname, contains, "haproxy" /var/log/haproxy.log
    & stop

haproxy.cfg:

    global
          log         /dev/log daemon
          chroot      /var/lib/haproxy
          .......
user320813
  • 21
  • 1
1

I prefer not to mess with the ordering of the file so instead i add a local0.none to the . line entry. Config looks like:

*.info;mail.none;authpriv.none;cron.none;local2.none     /var/log/messages

local2.*                                                 /var/log/haproxy.log

(Tested on CentOS 7)

Hope that helps!

mgna20
  • 11
  • 2