the logs go out to every destination where the rule matches the log entry. If
you don't want to have this happen, you need to explicitly throw away the log
entry after you process it.
There are two ways to do this.
prior to v6 you would do
if ($source contains 'switch_') then
:ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches
& ~
the & says to apply the same filter as previous and the ~ says to throw away the
log
with current versions, you can do
if ($source contains 'switch_') then {
:ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches
stop
}
instead (the old way still works)
David Lang
On Mon, 17 Feb 2014, Darhl Thomason wrote:
Date: Mon, 17 Feb 2014 08:47:45 -0800
From: Darhl Thomason <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: [email protected]
Subject: [rsyslog] Logging to multiple db tables
I have rsyslog set to send info to multiple mysql db tables. This is
working fine other than everything is going to both the specific table as
well as my "catch-all" table. I found a thread
http://lists.adiscon.net/pipermail/rsyslog/2013-June/033092.html that seems
to address the issue. The solution is to use the stop command. I'm not
sure how to implement that in my environment.
Any help you can provide on how to get the stop to work would be greatly
appreciated!
I have my database info set in /etc/rsyslog.d/mysql.conf which contains:
### Configuration file for rsyslog-mysql
### Changes are preserved
$ModLoad ommysql
$template switches,"insert into tblSwitches (Message, Facility, FromHost,
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values
(\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%,
\'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', %iut%,
\'%syslogtag%\')",SQL
$template wireless,"insert into tblWireless (Message, Facility, FromHost,
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values
(\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%,
\'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', %iut%,
\'%syslogtag%\')",SQL
$template firewall,"insert into tblFirewalls (Message, Facility, FromHost,
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values
(\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%,
\'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', %iut%,
\'%syslogtag%\')",SQL
$template vmware,"insert into tblVMware (Message, Facility, FromHost,
Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values
(\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%,
\'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', %iut%,
\'%syslogtag%\')",SQL
if ($source contains 'switch_') then
:ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches
if ($source contains 'wap_') then
:ommysql:127.0.0.1,Syslog,rsyslog,myPassword;wireless
if ($source contains 'firewall_') then
:ommysql:127.0.0.1,Syslog,rsyslog,myPassword;firewall
if ($source contains 'esxi_') then
:ommysql:127.0.0.1,Syslog,rsyslog,myPassword;vmware
*.* :ommysql:localhost,Syslog,rsyslog,myPassword
Thanks!
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
