On Wed, Aug 14, 2013 at 11:27 AM, David Lang <[email protected]> wrote: > On Wed, 14 Aug 2013, John Anza wrote: > > On Wed, Aug 14, 2013 at 7:40 AM, David Lang <[email protected]> wrote: >> >> On Tue, 13 Aug 2013, Gary Foster wrote: >>> >>> On Aug 13, 2013, at 5:09 PM, johnanza <[email protected]> wrote: >>> >>>> >>>> >>>> This works fine but is inefficient. I tried to rewrite as: (B) >>>>> >>>>> if $syslogtag contains '/usr/local/bin/node' and $msg contains '[info]' >>>>> then >>>>> { >>>>> if $msg contains 'foo' then ~ >>>>> else if $msg contains 'bar' then ~ >>>>> else if $msg contains 'baz' then ~ >>>>> } >>>>> >>>>> >>>>> so what happens if the syslogtag contains '/usr/local/bin/node' and >>>> the >>>> $msg contains '[info]' but it does not contain foo, bar or baz? >>>> >>>> That's right, it falls through your last else to? >>>> >>>> >>>> but this failed with " warning: selector line without actions will be >>>> >>>>> discarded" >>>>> >>>>> >>>> a selector line without an action. >>>> >>>> >>> could be, but I also wonder what would happen if he replaced ~ with >>> 'stop'? >>> >>> >> With 'stop' it fails in the same way. >> >> >> >>> what version of rsyslog are you dealing with? >>> >> >> >> It's version 5.8.10-6.22.amzn1 >> > > ahh, I'm not sure that that version supports {} grouped statements. I > think that was added in v6 > > actually v7+ (it requires the new execution engine).
> If you are using this style of configuration, you really should move to > 7.4 The configuration optimizer that was added in v7 will make a huge > difference in the performance of your filters, and may make it unnessasary > to re-structure them > > Well, it doesn't do true magic. This nesting definitely helps with the performance, even in v7.4. I personally also find it much easier to read and maintain, but YMMV. Rainer > David Lang > > > > One thing I should have mention is that the rsyslog.conf looks like: >> >> >> $IncludeConfig /etc/rsyslog.d/node.conf # this is where the IF statement >> is. >> (...) >> *.info;mail.none;authpriv.**none;cron.none >> /var/log/messages >> >> >> So there is catch-all statement. If a message does not match the >> problematic IF statement it will hit the /var/log/messages action. >> >> >> >> >>> David Lang >>> >>> ______________________________****_________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/****mailman/listinfo/rsyslog<http://lists.adiscon.net/**mailman/listinfo/rsyslog> >>> <http:**//lists.adiscon.net/mailman/**listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >>> > >>> http://www.rsyslog.com/****professional-services/<http://www.rsyslog.com/**professional-services/> >>> <http://**www.rsyslog.com/professional-**services/<http://www.rsyslog.com/professional-services/> >>> > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >>> ______________________________**_________________ >> rsyslog mailing list >> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> >> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
