> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Max Gao > Sent: Wednesday, November 21, 2012 11:30 AM > To: rsyslog-users > Subject: Re: [rsyslog] How to write to same file under different filter > conditions > > hi, Rainer > > i upgrade to 5.10.1 , but it doesn't help, just the same. > i will try 6/7 version later, but i don't know is that need a > config > file update.
That would be excellent. I suggest v7.2.3, which will be released within the next two hours. The old config format is still fully supported. > > and can i use the OR EXPRESSION in the config file like: > > :rawmsg, contains, "INFO|CHAT|DLL_MD5" or "INFO|CHAT|LOGIN" > -?DynFile;MyFileFormat That's not possible with property-based filters. But you can do (NOT syntax checked!): if $rawmsg contains 'INFO|CHAT|DLL_MD5' or $rawmsg contains 'INFO|CHAT|LOGIN' then -?DynFile;MyFileFormat This works in v5 as well, but is considerably slower than in v7 or the expression-based filter. In v7, it can be written even more compact and with a bit of performance improvement: if $rawmsg contains ['INFO|CHAT|DLL_MD5','INFO|CHAT|LOGIN'] then -?DynFile;MyFileFormat Within the braces you have an array of strings to test. If one fits, the expression evaluates to true, so it is an implicit "or". Note that in v7, all operations are Boolean shortcuts, so the first fit terminates the expression evaluation (v5 always does a full evaluation). Note that in v5 everything must be on one line. In v7, this is irrelevant. HTH Rainer > > thanks. > > > hi,all > > > > i am using rsyslog 5.8.13 under centos 5.8, with the config like > > below: > > > > $OMFileAsyncWriting on > > $OMFileFlushOnTXEnd off > > $OMFileFlushInterval 30 > > $OMFileZipLevel 9 > > $OMFileIOBufferSize 256k > > > > $template MyFileFormat,"%timegenerated:::date-rfc3339% %fromhost-ip% > > %rawmsg%\n" > > $template DynFile,"/home/rsyslog/logs/chat.%$now%.%$hour%.log.gz" > > > > :rawmsg, contains, "INFO|CHAT|DLL_MD5" -?DynFile;MyFileFormat > > & ~ > > :rawmsg, contains, "INFO|CHAT|LOGIN" -?DynFile;MyFileFormat > > & ~ > > > > i use OMFileZipLevel and OMFileIOBufferSize because the log is very > > large. > > > > but i am countering a problem that some messages in the DynFilewill > > mixed > > together in one line like : > > > > 2012-11-20T23:00:18.079471+08:00 114.113.197.94 <134>Nov 20 23:00:18 > > xx74-158 xx_202[914]: > > > [103991]INFO|CHAT|DLL_MD5,,xxxxx,,712970202,,ntdll.dll|c30a91ade8c9cb91 > > e4281ec83c4500c6;kernel32.dll|e570cb2012-11-20T23:00:00.058220+08:00 > > 11.11.19.93 <134>Nov 20 23:00:00 xx186-155 > > > xx_211[4146]:[103991]INFO|CHAT|LOGIN,,xxxxx,,985440211,,8.24.28.15,,51, > > ,3172303-123928576,,ST500DM002-1BD142- > > > W2A1EZDK,,2bba83a20faded52cf782c4917991024,,fcb7cd8a0b1ab25e2656261f778 > > 5172e,,bff0b3e2bb5d19adc87d4041b38299ec,0,,0,0,0,,0 > > > > > > i check the output file and found that rsyslog seems using two > threads > > write to the same DynFile. > > thread one handles ':rawmsg, contains, "INFO|CHAT|DLL_MD5" ' > condition > > and > > has a 256k buffer. > > thread two handles ':rawmsg, contains, "INFO|CHAT|LOGIN" ' condition > > and > > has another 256k buffer. > > > > this problem happens when thread one flush the buffer to file , > > and thread two flush its buffer later, > > then this mix will show upbetween the two flushes. > > > > i think the buffer is count exactly by bytes, > > but not consideringmessage, > > so this is the right behavior it should be. > > > > but how can i fix this problem? > That is probably a bug in that (old) version. I suggest to upgrade to > a > supported version (or at least 5.10.1) and see if the problem persists. > I > think I remember this problem, but not sure. > Rainer > > is it possible to config rsyslog using one thread for the same file? > > or how can i use the OR EXPRESSION in the config file like: > > > > :rawmsg, contains, "INFO|CHAT|DLL_MD5" or "INFO|CHAT|LOGIN" > > -?DynFile;MyFileFormat > > > > thanks for your help. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > > if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
