Thanks a lot Gary that makes it really clear on how to do it now. Your program fu is strong! :P
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Gary Foster Sent: Tuesday, April 09, 2013 2:36 PM To: rsyslog-users Subject: Re: [rsyslog] Messages log problems you need to enclose your THEN clause in braces and add it there. Not sure why you are backslash escaping all your stuff, either. You could probably do it with a negated regex match a lot more concisely, as well, but basically yes... you'd have something like: if blah and blah and blah then { blah stop } You don't put the braces around your IF stuff, just the THEN clause (you use the braces to group actions, not conditions). ~~~ if $msg contains 'foo' then # action1 stop *.* action2 ~~~~ That example drops EVERY message whether it matches or not. If it matches, it does action 1, but regardless it drops EVERYTHING and action 2 will never get completed ~~~~~~ if $msg contains 'foo' then { # action1 stop } *.* action2 ~~~~~~~ That will perform action 1 on messages and then discard them and everything else goes to action 2. Does that make it more clear? -- Gary F. On Apr 9, 2013, at 2:29 PM, Josh Bitto <[email protected]> wrote: > Do I just add the word "stop" to my rules with the enclosed brackets you > mentioned? > > Example: > > if \ { > $source != 'hostname' \ > and \ > $syslogseverity <= '6' \ > and ( \ > $syslogfacility-text != 'mail' \ > and \ > $syslogfacility-text != 'authpriv' \ > and \ > $syslogfacility-text != 'cron' \ > and \ > $programname != 'mysqld' \ > and \ > $programname != 'httpd' \ > and \ > $programname != 'rkhunter' \ > and \ > $programname != 'bashhist' \ > ) \ > then ?DYNmessages > stop > } > > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Gary Foster > Sent: Tuesday, April 09, 2013 2:15 PM > To: rsyslog-users > Subject: Re: [rsyslog] Messages log problems > > You need to tell rsyslog to stop processing and discard the message when you > no longer want it. Otherwise, it will match multiple rules or fall through > to your default. > > ~~~~~~ > if $msg contains 'foo' then { > # do something > stop > } > > *.* /var/log/messages > ~~~~~~ > > The example above will drop the message after it handles it if it matches the > first rule. If not, it will fall through and get processed by the wildcard. > You are missing "stop" statements (and you'll need to add enclosing braces to > group your actions). > > -- Gary F. > > > On Apr 9, 2013, at 1:47 PM, Josh Bitto <[email protected]> wrote: > >> Ok so I'm having an issue where I'm receiving logs from different hosts and >> they are being logged to my /var/log/messages. PLUS in the template that I >> have it set for. I don't want this "double" logging. Is there a way to >> correct this? My programming fu is weak. >> >> >> I have it setup in rsyslog.conf configured to a template as the attached txt >> file. >> >> Joshua Bitto >> Information Technologist >> KCC >> >> >> >> <configfile.txt>_______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites >> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE >> THAT. > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites > beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
