> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Max Gao > Sent: Wednesday, November 21, 2012 1:28 PM > To: rsyslog-users > Subject: Re: [rsyslog] How to write to same file under different filter > conditions > > hi, Rainer > > i upgrade to v7.2.3, and the problem still exist.... > with the same config , it only happen between two flush , > and only affect the last message of each flush, > i think that's because every flush while the buffer is full , > but at the end of the buffer, that's not one complete message. > and then aother thead flush its data into the same file, > so it looks like the last message is mixed by the first message of > another thread...
Args, sorry, I have not looked closely enough. You described the situation very well in the initial post, but I failed to realize that two different actions are used. Yup, that does not work with buffered mode. Sorry I overlooked that :-( Some time in the v7 time frame, we'll go to a consolidate file stream cache, then the root problem will go away. But there are many implications, e.g. the need for global locks, which we do not want. > > is there some way to fix in property-based filters? No, but why use them when you have upgraded to v7 in any case. The config snippet I posted does not have this problem, because it uses only a single action. There are other solutions, but those are hackish... > > > and find some probleam with 7.2.3: > runtime/.libs/librsyslog.la line 41 , missing dependency_libs '- > lz' > ,will lead to link failure with zlib. > > while i start the rsyslog with > ./sbin/rsyslogd -x -4 -f ./rsyslog.conf -i ./rsyslog.pid > it won't go to background , as like the -d option used. Just to double-check: have you set any debug options in the environment. In any case, I'll have a look at this. Could you file a bug? Rainer > > > 2012/11/21 Rainer Gerhards <[email protected]> > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Max Gao > > > Sent: Wednesday, November 21, 2012 11:30 AM > > > To: rsyslog-users > > > Subject: Re: [rsyslog] How to write to same file under different > filter > > > conditions > > > > > > hi, Rainer > > > > > > i upgrade to 5.10.1 , but it doesn't help, just the same. > > > i will try 6/7 version later, but i don't know is that need a > > > config > > > file update. > > > > That would be excellent. I suggest v7.2.3, which will be released > within > > the next two hours. > > > > The old config format is still fully supported. > > > > > > and can i use the OR EXPRESSION in the config file like: > > > > > > :rawmsg, contains, "INFO|CHAT|DLL_MD5" or "INFO|CHAT|LOGIN" > > > -?DynFile;MyFileFormat > > > > That's not possible with property-based filters. But you can do (NOT > > syntax checked!): > > > > if $rawmsg contains 'INFO|CHAT|DLL_MD5' or $rawmsg contains > > 'INFO|CHAT|LOGIN' then -?DynFile;MyFileFormat > > > > This works in v5 as well, but is considerably slower than in v7 or > the > > expression-based filter. > > > > In v7, it can be written even more compact and with a bit of > performance > > improvement: > > > > if $rawmsg contains ['INFO|CHAT|DLL_MD5','INFO|CHAT|LOGIN'] then > > -?DynFile;MyFileFormat > > > > Within the braces you have an array of strings to test. If one fits, > the > > expression evaluates to true, so it is an implicit "or". Note that in > v7, > > all operations are Boolean shortcuts, so the first fit terminates the > > expression evaluation (v5 always does a full evaluation). > > > > Note that in v5 everything must be on one line. In v7, this is > irrelevant. > > > > HTH > > Rainer > > > > > > > > thanks. > > > > > > > hi,all > > > > > > > > i am using rsyslog 5.8.13 under centos 5.8, with the config like > > > > below: > > > > > > > > $OMFileAsyncWriting on > > > > $OMFileFlushOnTXEnd off > > > > $OMFileFlushInterval 30 > > > > $OMFileZipLevel 9 > > > > $OMFileIOBufferSize 256k > > > > > > > > $template MyFileFormat,"%timegenerated:::date-rfc3339% %fromhost- > ip% > > > > %rawmsg%\n" > > > > $template DynFile,"/home/rsyslog/logs/chat.%$now%.%$hour%.log.gz" > > > > > > > > :rawmsg, contains, "INFO|CHAT|DLL_MD5" -?DynFile;MyFileFormat > > > > & ~ > > > > :rawmsg, contains, "INFO|CHAT|LOGIN" -?DynFile;MyFileFormat > > > > & ~ > > > > > > > > i use OMFileZipLevel and OMFileIOBufferSize because the log is > very > > > > large. > > > > > > > > but i am countering a problem that some messages in the > DynFilewill > > > > mixed > > > > together in one line like : > > > > > > > > 2012-11-20T23:00:18.079471+08:00 114.113.197.94 <134>Nov 20 > 23:00:18 > > > > xx74-158 xx_202[914]: > > > > > > > > [103991]INFO|CHAT|DLL_MD5,,xxxxx,,712970202,,ntdll.dll|c30a91ade8c9cb91 > > > > e4281ec83c4500c6;kernel32.dll|e570cb2012-11- > 20T23:00:00.058220+08:00 > > > > 11.11.19.93 <134>Nov 20 23:00:00 xx186-155 > > > > > > > > xx_211[4146]:[103991]INFO|CHAT|LOGIN,,xxxxx,,985440211,,8.24.28.15,,51, > > > > ,3172303-123928576,,ST500DM002-1BD142- > > > > > > > > W2A1EZDK,,2bba83a20faded52cf782c4917991024,,fcb7cd8a0b1ab25e2656261f778 > > > > 5172e,,bff0b3e2bb5d19adc87d4041b38299ec,0,,0,0,0,,0 > > > > > > > > > > > > i check the output file and found that rsyslog seems using two > > > threads > > > > write to the same DynFile. > > > > thread one handles ':rawmsg, contains, "INFO|CHAT|DLL_MD5" ' > > > condition > > > > and > > > > has a 256k buffer. > > > > thread two handles ':rawmsg, contains, "INFO|CHAT|LOGIN" ' > condition > > > > and > > > > has another 256k buffer. > > > > > > > > this problem happens when thread one flush the buffer to file , > > > > and thread two flush its buffer later, > > > > then this mix will show upbetween the two flushes. > > > > > > > > i think the buffer is count exactly by bytes, > > > > but not consideringmessage, > > > > so this is the right behavior it should be. > > > > > > > > but how can i fix this problem? > > > That is probably a bug in that (old) version. I suggest to upgrade > to > > > a > > > supported version (or at least 5.10.1) and see if the problem > persists. > > > I > > > think I remember this problem, but not sure. > > > Rainer > > > > is it possible to config rsyslog using one thread for the same > file? > > > > or how can i use the OR EXPRESSION in the config file like: > > > > > > > > :rawmsg, contains, "INFO|CHAT|DLL_MD5" or "INFO|CHAT|LOGIN" > > > > -?DynFile;MyFileFormat > > > > > > > > thanks for your help. > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > > > POST > > > > if you DON'T LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST > > > if you DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
