you need to enclose your THEN clause in braces and add it there. Not sure why
you are backslash escaping all your stuff, either. You could probably do it
with a negated regex match a lot more concisely, as well, but basically yes…
you'd have something like:
if blah and blah and blah then {
blah
stop
}
You don't put the braces around your IF stuff, just the THEN clause (you use
the braces to group actions, not conditions).
~~~
if $msg contains 'foo' then
# action1
stop
*.* action2
~~~~
That example drops EVERY message whether it matches or not. If it matches, it
does action 1, but regardless it drops EVERYTHING and action 2 will never get
completed
~~~~~~
if $msg contains 'foo' then {
# action1
stop
}
*.* action2
~~~~~~~
That will perform action 1 on messages and then discard them and everything
else goes to action 2. Does that make it more clear?
-- Gary F.
On Apr 9, 2013, at 2:29 PM, Josh Bitto <[email protected]> wrote:
> Do I just add the word "stop" to my rules with the enclosed brackets you
> mentioned?
>
> Example:
>
> if \ {
> $source != 'hostname' \
> and \
> $syslogseverity <= '6' \
> and ( \
> $syslogfacility-text != 'mail' \
> and \
> $syslogfacility-text != 'authpriv' \
> and \
> $syslogfacility-text != 'cron' \
> and \
> $programname != 'mysqld' \
> and \
> $programname != 'httpd' \
> and \
> $programname != 'rkhunter' \
> and \
> $programname != 'bashhist' \
> ) \
> then ?DYNmessages
> stop
> }
>
>
>
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Gary Foster
> Sent: Tuesday, April 09, 2013 2:15 PM
> To: rsyslog-users
> Subject: Re: [rsyslog] Messages log problems
>
> You need to tell rsyslog to stop processing and discard the message when you
> no longer want it. Otherwise, it will match multiple rules or fall through
> to your default.
>
> ~~~~~~
> if $msg contains 'foo' then {
> # do something
> stop
> }
>
> *.* /var/log/messages
> ~~~~~~
>
> The example above will drop the message after it handles it if it matches the
> first rule. If not, it will fall through and get processed by the wildcard.
> You are missing "stop" statements (and you'll need to add enclosing braces to
> group your actions).
>
> -- Gary F.
>
>
> On Apr 9, 2013, at 1:47 PM, Josh Bitto <[email protected]> wrote:
>
>> Ok so I'm having an issue where I'm receiving logs from different hosts and
>> they are being logged to my /var/log/messages. PLUS in the template that I
>> have it set for. I don't want this "double" logging. Is there a way to
>> correct this? My programming fu is weak.
>>
>>
>> I have it setup in rsyslog.conf configured to a template as the attached txt
>> file.
>>
>> Joshua Bitto
>> Information Technologist
>> KCC
>>
>>
>>
>> <configfile.txt>_______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
>> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
>> THAT.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This
> is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
> control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
