Am 14-06-2013 17:07, schrieb David Lang:
On Fri, 14 Jun 2013, Aleksandar Lazic wrote:
This configuration is saying that for messages that arrive via TCP,
you only want to possibly ever do one of these two actions with the
message. No other filters will apply.
if you just remove any reference to rulesets (both in the input name,
and around these two actions), then all the rules that you define
will
be applied to the logs, no matter what source the come from.
Yep I wanted this. Thanks for confirmation ;-)
My question was is there a performance penalty when I use the
'ruleset(name="remote"){ ... }'
instead of not using it and handle the messages with
if $fromhost-ip == ....
as described in
http://lists.adiscon.net/pipermail/rsyslog/2013-June/032819.html
The ruleset version will actually be slightly faster (there's no test
in the ruleset version) the problem is a matter of confusion,
especially when dealing with includes, as we ran into here.
When you use a ruleset and tie that ruleset to an input, any logs
arriving from that input go only to actions/tests in that ruleset. Any
other actions/tests may as well not exist as far as that log is
concerned. The cost of invoking the ruleset is far less than even a
single fromhost-ip test.
But because the log is only processed by things in that ruleset,
unless you keep all your rules in one file, it's really easy to get
confused as to which ruleset a given set of actions/tests are in.
Thank you for your explanation.
I will stick with ruleset for my setup due to the fact it works and it's
a small setup.
David Lang
Aleks
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
