hi, Rainer
i upgrade to v7.2.3, and the problem still exist....
with the same config , it only happen between two flush ,
and only affect the last message of each flush,
i think that's because every flush while the buffer is full ,
but at the end of the buffer, that's not one complete message.
and then aother thead flush its data into the same file,
so it looks like the last message is mixed by the first message of
another thread...
is there some way to fix in property-based filters?
and find some probleam with 7.2.3:
runtime/.libs/librsyslog.la line 41 , missing dependency_libs '-lz'
,will lead to link failure with zlib.
while i start the rsyslog with
./sbin/rsyslogd -x -4 -f ./rsyslog.conf -i ./rsyslog.pid
it won't go to background , as like the -d option used.
2012/11/21 Rainer Gerhards <[email protected]>
> > -----Original Message-----
> > From: [email protected] [mailto:rsyslog-
> > [email protected]] On Behalf Of Max Gao
> > Sent: Wednesday, November 21, 2012 11:30 AM
> > To: rsyslog-users
> > Subject: Re: [rsyslog] How to write to same file under different filter
> > conditions
> >
> > hi, Rainer
> >
> > i upgrade to 5.10.1 , but it doesn't help, just the same.
> > i will try 6/7 version later, but i don't know is that need a
> > config
> > file update.
>
> That would be excellent. I suggest v7.2.3, which will be released within
> the next two hours.
>
> The old config format is still fully supported.
> >
> > and can i use the OR EXPRESSION in the config file like:
> >
> > :rawmsg, contains, "INFO|CHAT|DLL_MD5" or "INFO|CHAT|LOGIN"
> > -?DynFile;MyFileFormat
>
> That's not possible with property-based filters. But you can do (NOT
> syntax checked!):
>
> if $rawmsg contains 'INFO|CHAT|DLL_MD5' or $rawmsg contains
> 'INFO|CHAT|LOGIN' then -?DynFile;MyFileFormat
>
> This works in v5 as well, but is considerably slower than in v7 or the
> expression-based filter.
>
> In v7, it can be written even more compact and with a bit of performance
> improvement:
>
> if $rawmsg contains ['INFO|CHAT|DLL_MD5','INFO|CHAT|LOGIN'] then
> -?DynFile;MyFileFormat
>
> Within the braces you have an array of strings to test. If one fits, the
> expression evaluates to true, so it is an implicit "or". Note that in v7,
> all operations are Boolean shortcuts, so the first fit terminates the
> expression evaluation (v5 always does a full evaluation).
>
> Note that in v5 everything must be on one line. In v7, this is irrelevant.
>
> HTH
> Rainer
>
> >
> > thanks.
> >
> > > hi,all
> > >
> > > i am using rsyslog 5.8.13 under centos 5.8, with the config like
> > > below:
> > >
> > > $OMFileAsyncWriting on
> > > $OMFileFlushOnTXEnd off
> > > $OMFileFlushInterval 30
> > > $OMFileZipLevel 9
> > > $OMFileIOBufferSize 256k
> > >
> > > $template MyFileFormat,"%timegenerated:::date-rfc3339% %fromhost-ip%
> > > %rawmsg%\n"
> > > $template DynFile,"/home/rsyslog/logs/chat.%$now%.%$hour%.log.gz"
> > >
> > > :rawmsg, contains, "INFO|CHAT|DLL_MD5" -?DynFile;MyFileFormat
> > > & ~
> > > :rawmsg, contains, "INFO|CHAT|LOGIN" -?DynFile;MyFileFormat
> > > & ~
> > >
> > > i use OMFileZipLevel and OMFileIOBufferSize because the log is very
> > > large.
> > >
> > > but i am countering a problem that some messages in the DynFilewill
> > > mixed
> > > together in one line like :
> > >
> > > 2012-11-20T23:00:18.079471+08:00 114.113.197.94 <134>Nov 20 23:00:18
> > > xx74-158 xx_202[914]:
> > >
> > [103991]INFO|CHAT|DLL_MD5,,xxxxx,,712970202,,ntdll.dll|c30a91ade8c9cb91
> > > e4281ec83c4500c6;kernel32.dll|e570cb2012-11-20T23:00:00.058220+08:00
> > > 11.11.19.93 <134>Nov 20 23:00:00 xx186-155
> > >
> > xx_211[4146]:[103991]INFO|CHAT|LOGIN,,xxxxx,,985440211,,8.24.28.15,,51,
> > > ,3172303-123928576,,ST500DM002-1BD142-
> > >
> > W2A1EZDK,,2bba83a20faded52cf782c4917991024,,fcb7cd8a0b1ab25e2656261f778
> > > 5172e,,bff0b3e2bb5d19adc87d4041b38299ec,0,,0,0,0,,0
> > >
> > >
> > > i check the output file and found that rsyslog seems using two
> > threads
> > > write to the same DynFile.
> > > thread one handles ':rawmsg, contains, "INFO|CHAT|DLL_MD5" '
> > condition
> > > and
> > > has a 256k buffer.
> > > thread two handles ':rawmsg, contains, "INFO|CHAT|LOGIN" ' condition
> > > and
> > > has another 256k buffer.
> > >
> > > this problem happens when thread one flush the buffer to file ,
> > > and thread two flush its buffer later,
> > > then this mix will show upbetween the two flushes.
> > >
> > > i think the buffer is count exactly by bytes,
> > > but not consideringmessage,
> > > so this is the right behavior it should be.
> > >
> > > but how can i fix this problem?
> > That is probably a bug in that (old) version. I suggest to upgrade to
> > a
> > supported version (or at least 5.10.1) and see if the problem persists.
> > I
> > think I remember this problem, but not sure.
> > Rainer
> > > is it possible to config rsyslog using one thread for the same file?
> > > or how can i use the OR EXPRESSION in the config file like:
> > >
> > > :rawmsg, contains, "INFO|CHAT|DLL_MD5" or "INFO|CHAT|LOGIN"
> > > -?DynFile;MyFileFormat
> > >
> > > thanks for your help.
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > POST
> > > if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> > if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
