Hey, It doesn't get checked, because it will try the rule 100112 first (which would have a high severity) and matches the event.
Internally, it organize the sub rules in order of severity, so it always tries the high severity ones first, followed by the others (level 0 is also the first to be checked). Makes sense? Thanks, -- Daniel B. Cid http://dcid.me On Fri, Apr 27, 2012 at 10:49 AM, ignasr <ign...@vault13.lt> wrote: > Hello, > > I have a simple rule tree: > > <rule id="100101" level="2"> > <if_sid>1</if_sid> > <match>[rsyslog-pri 0]|[rsyslog-pri 1]|[rsyslog-pri 2]|[rsyslog-pri > 3]</match> > <group>high_lvl_syslog,</group> > <description>Unspecified err, crit, alert or emerg syslog > event.</description> > </rule> > > <rule id="100111" level="12"> > <if_sid>100101</if_sid> > <match>Aasdfkljasdklfjasdss</match> > <description>Ignoring asdfasdfa.</description> > <group>high_lvl_syslog_ignore</group> > </rule> > > <rule id="100112" level="12"> > <if_sid>100101</if_sid> > <match>Assuming drive cache</match> > <description>Ignoring known high level alerts.</description> > <group>high_lvl_syslog_ignore</group> > </rule> > > and it works, ex: > > 2012-04-19T13:53:02+03:00 158.129.128.243 kernel: [7329650.152821] sd > 26:0:0:0: [sdc] Assuming drive cache: write through [rsyslog-pri 3] > > Trying rule: 5903 - Group (or user) deleted from the system > Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog > event. > *Rule 100101 matched. > *Trying child rules. > Trying rule: 100111 - Ignoring asdfasdfa. > Trying rule: 100112 - Ignoring known high level alerts. > *Rule 100112 matched. > **Phase 3: Completed filtering (rules). > Rule id: '100112' > Level: '12' > Description: 'Ignoring known high level alerts.' > > The problem: if i change <rule id="100111"> level to 1 through 11, that > rule doesn't get checked at all: > > <rule id="100111" level="5"> > <if_sid>100101</if_sid> > <match>Aasdfkljasdklfjasdss</match> > <description>Ignoring asdfasdfa.</description> > <group>high_lvl_syslog_ignore</group> > </rule> > > Trying rule: 5903 - Group (or user) deleted from the system > Trying rule: 100101 - Unspecified err, crit, alert or emerg syslog > event. > *Rule 100101 matched. > *Trying child rules. > Trying rule: 100112 - Ignoring known high level alerts. > *Rule 100112 matched. > **Phase 3: Completed filtering (rules). > Rule id: '100112' > Level: '12' > Description: 'Ignoring known high level alerts.' > > What I am missing here? > > Thank you.