It definitely threw errors when I did that.
I changed my config file to:
if ($source contains 'switch_') then {
:ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches
stop
}
and when I restarted rsyslog I received a series of errors and the info
only went to the catchall.
the last error occured in /etc/rsyslog.d/mysql.conf, line 9:"if ($source
contains 'switch_') then {" warning: selector line without actions will be
discarded error -2142 parsing filter property - ignoring selector [try
http://www.rsyslog.com/e/2142 ] the last error occured in
/etc/rsyslog.d/mysql.conf, line 10:"
:ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches" warning: selector
line without actions will be discarded unknown priority name "" [try
http://www.rsyslog.com/e/3000 ] the last error occured in
/etc/rsyslog.d/mysql.conf, line 11:" stop" warning: selector line
without actions will be discarded unknown priority name "" [try
http://www.rsyslog.com/e/3000 ] the last error occured in
/etc/rsyslog.d/mysql.conf, line 12:"}" warning: selector line without
actions will be discarded
So I changed the config to:
if ($source contains 'switch_')
then :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches
&~
And it appears to be working now.
Strange that the "stop" config didn't work.
I'm on Debian v7.4 Wheezy and rsyslog is v5.8.11
Darhl
On Tue, Feb 18, 2014 at 5:12 AM, Darhl Thomason <[email protected]>wrote:
> Thanks David, I thought I had tried that and it didn't work. I'll give it
> another go and see how I make out.
>
>
> On Mon, Feb 17, 2014 at 11:19 PM, David Lang <[email protected]> wrote:
>
>> the logs go out to every destination where the rule matches the log
>> entry. If you don't want to have this happen, you need to explicitly throw
>> away the log entry after you process it.
>>
>> There are two ways to do this.
>>
>> prior to v6 you would do
>>
>>
>> if ($source contains 'switch_') then :ommysql:127.0.0.1,Syslog,
>> rsyslog,myPassword;switches
>> & ~
>>
>> the & says to apply the same filter as previous and the ~ says to throw
>> away the log
>>
>> with current versions, you can do
>>
>>
>> if ($source contains 'switch_') then {
>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches
>> stop
>> }
>>
>> instead (the old way still works)
>>
>> David Lang
>>
>>
>>
>> On Mon, 17 Feb 2014, Darhl Thomason wrote:
>>
>> Date: Mon, 17 Feb 2014 08:47:45 -0800
>>> From: Darhl Thomason <[email protected]>
>>> Reply-To: rsyslog-users <[email protected]>
>>> To: [email protected]
>>> Subject: [rsyslog] Logging to multiple db tables
>>>
>>>
>>> I have rsyslog set to send info to multiple mysql db tables. This is
>>> working fine other than everything is going to both the specific table as
>>> well as my "catch-all" table. I found a thread
>>> http://lists.adiscon.net/pipermail/rsyslog/2013-June/033092.html that
>>> seems
>>> to address the issue. The solution is to use the stop command. I'm not
>>> sure how to implement that in my environment.
>>>
>>>
>>>
>>> Any help you can provide on how to get the stop to work would be greatly
>>> appreciated!
>>>
>>>
>>>
>>> I have my database info set in /etc/rsyslog.d/mysql.conf which contains:
>>>
>>> ### Configuration file for rsyslog-mysql
>>>
>>> ### Changes are preserved
>>>
>>> $ModLoad ommysql
>>>
>>>
>>>
>>> $template switches,"insert into tblSwitches (Message, Facility, FromHost,
>>> Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values
>>> (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%,
>>> \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\',
>>> %iut%,
>>> \'%syslogtag%\')",SQL
>>>
>>>
>>>
>>> $template wireless,"insert into tblWireless (Message, Facility, FromHost,
>>> Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values
>>> (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%,
>>> \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\',
>>> %iut%,
>>> \'%syslogtag%\')",SQL
>>>
>>>
>>>
>>> $template firewall,"insert into tblFirewalls (Message, Facility,
>>> FromHost,
>>> Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values
>>> (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%,
>>> \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\',
>>> %iut%,
>>> \'%syslogtag%\')",SQL
>>>
>>>
>>>
>>> $template vmware,"insert into tblVMware (Message, Facility, FromHost,
>>> Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values
>>> (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%,
>>> \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\',
>>> %iut%,
>>> \'%syslogtag%\')",SQL
>>>
>>>
>>>
>>> if ($source contains 'switch_') then
>>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches
>>>
>>>
>>>
>>> if ($source contains 'wap_') then
>>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;wireless
>>>
>>>
>>>
>>> if ($source contains 'firewall_') then
>>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;firewall
>>>
>>>
>>>
>>> if ($source contains 'esxi_') then
>>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;vmware
>>>
>>>
>>>
>>> *.* :ommysql:localhost,Syslog,rsyslog,myPassword
>>>
>>>
>>>
>>> Thanks!
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
