Hello,

I have a simple rule tree:

    <rule id="100101" level="2">
        <if_sid>1</if_sid>
        <match>[rsyslog-pri 0]|[rsyslog-pri 1]|[rsyslog-pri 2]|[rsyslog-pri 
3]</match>
        <group>high_lvl_syslog,</group>
        <description>Unspecified err, crit, alert or emerg syslog 
event.</description>
    </rule>

    <rule id="100111" level="12">
        <if_sid>100101</if_sid>
        <match>Aasdfkljasdklfjasdss</match>
        <description>Ignoring asdfasdfa.</description>
        <group>high_lvl_syslog_ignore</group>
    </rule>

    <rule id="100112" level="12">
        <if_sid>100101</if_sid>
        <match>Assuming drive cache</match>
        <description>Ignoring known high level alerts.</description>
        <group>high_lvl_syslog_ignore</group>
    </rule>

and it works, ex:

2012-04-19T13:53:02+03:00 158.129.128.243 kernel: [7329650.152821] sd 
26:0:0:0: [sdc] Assuming drive cache: write through [rsyslog-pri 3]

    Trying rule: 5903 - Group (or user) deleted from the system
    Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog 
event.
       *Rule 100101 matched.
       *Trying child rules.
    Trying rule: 100111 - Ignoring asdfasdfa.
    Trying rule: 100112 - Ignoring known high level alerts.
       *Rule 100112 matched.
**Phase 3: Completed filtering (rules).
       Rule id: '100112'
       Level: '12'
       Description: 'Ignoring known high level alerts.'

*The problem*: if i change  <rule id="100111"> level to 1 through 11, that 
rule doesn't get checked at all:

    <rule id="100111" level="5">
        <if_sid>100101</if_sid>
        <match>Aasdfkljasdklfjasdss</match>
        <description>Ignoring asdfasdfa.</description>
        <group>high_lvl_syslog_ignore</group>
    </rule>

    Trying rule: 5903 - Group (or user) deleted from the system
    Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog 
event.
       *Rule 100101 matched.
       *Trying child rules.
    Trying rule: 100112 - Ignoring known high level alerts.
       *Rule 100112 matched.
**Phase 3: Completed filtering (rules).
       Rule id: '100112'
       Level: '12'
       Description: 'Ignoring known high level alerts.'

What I am missing here?

Thank you.

Reply via email to