Reviewing your reply, you said prior to v6 to use '& ~' and since I'm on 5.8 that explains why 'stop' didn't work. I wonder why Debian Wheezy is down-leveled on the rsyslog version...
In any case, the '& ~' should have worked but did not log the events anywhere. I appreciate you helping me work through this, just a little bamboozled why it's not working the way I thought it should. Darhl On Tue, Feb 18, 2014 at 6:56 AM, Darhl Thomason <[email protected]>wrote: > It definitely threw errors when I did that. > I changed my config file to: > > if ($source contains 'switch_') then { > :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches > stop > } > and when I restarted rsyslog I received a series of errors and the info > only went to the catchall. > the last error occured in /etc/rsyslog.d/mysql.conf, line 9:"if > ($source contains 'switch_') then {" warning: selector line without > actions will be discarded error -2142 parsing filter property - ignoring > selector [try http://www.rsyslog.com/e/2142 ] the last error occured in > /etc/rsyslog.d/mysql.conf, line 10:" > :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches" warning: selector > line without actions will be discarded unknown priority name "" [try > http://www.rsyslog.com/e/3000 ] the last error occured in > /etc/rsyslog.d/mysql.conf, line 11:" stop" warning: selector line > without actions will be discarded unknown priority name "" [try > http://www.rsyslog.com/e/3000 ] the last error occured in > /etc/rsyslog.d/mysql.conf, line 12:"}" warning: selector line without > actions will be discarded > So I changed the config to: > if ($source contains 'switch_') > then :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches > &~ > > And it appears to be working now. > > Strange that the "stop" config didn't work. > > I'm on Debian v7.4 Wheezy and rsyslog is v5.8.11 > > > Darhl > > > > On Tue, Feb 18, 2014 at 5:12 AM, Darhl Thomason > <[email protected]>wrote: > >> Thanks David, I thought I had tried that and it didn't work. I'll give >> it another go and see how I make out. >> >> >> On Mon, Feb 17, 2014 at 11:19 PM, David Lang <[email protected]> wrote: >> >>> the logs go out to every destination where the rule matches the log >>> entry. If you don't want to have this happen, you need to explicitly throw >>> away the log entry after you process it. >>> >>> There are two ways to do this. >>> >>> prior to v6 you would do >>> >>> >>> if ($source contains 'switch_') then :ommysql:127.0.0.1,Syslog, >>> rsyslog,myPassword;switches >>> & ~ >>> >>> the & says to apply the same filter as previous and the ~ says to throw >>> away the log >>> >>> with current versions, you can do >>> >>> >>> if ($source contains 'switch_') then { >>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches >>> stop >>> } >>> >>> instead (the old way still works) >>> >>> David Lang >>> >>> >>> >>> On Mon, 17 Feb 2014, Darhl Thomason wrote: >>> >>> Date: Mon, 17 Feb 2014 08:47:45 -0800 >>>> From: Darhl Thomason <[email protected]> >>>> Reply-To: rsyslog-users <[email protected]> >>>> To: [email protected] >>>> Subject: [rsyslog] Logging to multiple db tables >>>> >>>> >>>> I have rsyslog set to send info to multiple mysql db tables. This is >>>> working fine other than everything is going to both the specific table >>>> as >>>> well as my "catch-all" table. I found a thread >>>> http://lists.adiscon.net/pipermail/rsyslog/2013-June/033092.html that >>>> seems >>>> to address the issue. The solution is to use the stop command. I'm not >>>> sure how to implement that in my environment. >>>> >>>> >>>> >>>> Any help you can provide on how to get the stop to work would be greatly >>>> appreciated! >>>> >>>> >>>> >>>> I have my database info set in /etc/rsyslog.d/mysql.conf which contains: >>>> >>>> ### Configuration file for rsyslog-mysql >>>> >>>> ### Changes are preserved >>>> >>>> $ModLoad ommysql >>>> >>>> >>>> >>>> $template switches,"insert into tblSwitches (Message, Facility, >>>> FromHost, >>>> Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values >>>> (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%, >>>> \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', >>>> %iut%, >>>> \'%syslogtag%\')",SQL >>>> >>>> >>>> >>>> $template wireless,"insert into tblWireless (Message, Facility, >>>> FromHost, >>>> Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values >>>> (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%, >>>> \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', >>>> %iut%, >>>> \'%syslogtag%\')",SQL >>>> >>>> >>>> >>>> $template firewall,"insert into tblFirewalls (Message, Facility, >>>> FromHost, >>>> Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values >>>> (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%, >>>> \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', >>>> %iut%, >>>> \'%syslogtag%\')",SQL >>>> >>>> >>>> >>>> $template vmware,"insert into tblVMware (Message, Facility, FromHost, >>>> Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values >>>> (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%, >>>> \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', >>>> %iut%, >>>> \'%syslogtag%\')",SQL >>>> >>>> >>>> >>>> if ($source contains 'switch_') then >>>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches >>>> >>>> >>>> >>>> if ($source contains 'wap_') then >>>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;wireless >>>> >>>> >>>> >>>> if ($source contains 'firewall_') then >>>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;firewall >>>> >>>> >>>> >>>> if ($source contains 'esxi_') then >>>> :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;vmware >>>> >>>> >>>> >>>> *.* :ommysql:localhost,Syslog,rsyslog,myPassword >>>> >>>> >>>> >>>> Thanks! >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if >>>> you DON'T LIKE THAT. >>>> >>>> _______________________________________________ >>> rsyslog mailing list >>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >>> DON'T LIKE THAT. >>> >> >> > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
