On Tue, 18 Feb 2014, Darhl Thomason wrote:
Reviewing your reply, you said prior to v6 to use '& ~' and since I'm on 5.8 that explains why 'stop' didn't work. I wonder why Debian Wheezy is down-leveled on the rsyslog version...In any case, the '& ~' should have worked but did not log the events anywhere.
what you listed below was missing the space between the two characters I would suggest for troubleshooting doing if ($source contains 'switch_') then :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches & /var/log/testswitch;switches & ~this will send it to the database, then write it to the file, then throw it away.
if it shows up in the file, but not in the database, look for database errors. Since the file will have the command sent to the database, you can cut-n-paste it yourself to test it.
by the way, the if..then filtering is significantly slower than other types of filters on 5.x, yet another reason to upgrade
David Lang
I appreciate you helping me work through this, just a little bamboozled why it's not working the way I thought it should. Darhl On Tue, Feb 18, 2014 at 6:56 AM, Darhl Thomason <[email protected]>wrote:It definitely threw errors when I did that. I changed my config file to: if ($source contains 'switch_') then { :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches stop } and when I restarted rsyslog I received a series of errors and the info only went to the catchall. the last error occured in /etc/rsyslog.d/mysql.conf, line 9:"if ($source contains 'switch_') then {" warning: selector line without actions will be discarded error -2142 parsing filter property - ignoring selector [try http://www.rsyslog.com/e/2142 ] the last error occured in /etc/rsyslog.d/mysql.conf, line 10:" :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches" warning: selector line without actions will be discarded unknown priority name "" [try http://www.rsyslog.com/e/3000 ] the last error occured in /etc/rsyslog.d/mysql.conf, line 11:" stop" warning: selector line without actions will be discarded unknown priority name "" [try http://www.rsyslog.com/e/3000 ] the last error occured in /etc/rsyslog.d/mysql.conf, line 12:"}" warning: selector line without actions will be discarded So I changed the config to: if ($source contains 'switch_') then :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches &~ And it appears to be working now. Strange that the "stop" config didn't work. I'm on Debian v7.4 Wheezy and rsyslog is v5.8.11 Darhl On Tue, Feb 18, 2014 at 5:12 AM, Darhl Thomason <[email protected]>wrote:Thanks David, I thought I had tried that and it didn't work. I'll give it another go and see how I make out. On Mon, Feb 17, 2014 at 11:19 PM, David Lang <[email protected]> wrote:the logs go out to every destination where the rule matches the log entry. If you don't want to have this happen, you need to explicitly throw away the log entry after you process it. There are two ways to do this. prior to v6 you would do if ($source contains 'switch_') then :ommysql:127.0.0.1,Syslog, rsyslog,myPassword;switches & ~ the & says to apply the same filter as previous and the ~ says to throw away the log with current versions, you can do if ($source contains 'switch_') then { :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches stop } instead (the old way still works) David Lang On Mon, 17 Feb 2014, Darhl Thomason wrote: Date: Mon, 17 Feb 2014 08:47:45 -0800From: Darhl Thomason <[email protected]> Reply-To: rsyslog-users <[email protected]> To: [email protected] Subject: [rsyslog] Logging to multiple db tables I have rsyslog set to send info to multiple mysql db tables. This is working fine other than everything is going to both the specific table as well as my "catch-all" table. I found a thread http://lists.adiscon.net/pipermail/rsyslog/2013-June/033092.html that seems to address the issue. The solution is to use the stop command. I'm not sure how to implement that in my environment. Any help you can provide on how to get the stop to work would be greatly appreciated! I have my database info set in /etc/rsyslog.d/mysql.conf which contains: ### Configuration file for rsyslog-mysql ### Changes are preserved $ModLoad ommysql $template switches,"insert into tblSwitches (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%, \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', %iut%, \'%syslogtag%\')",SQL $template wireless,"insert into tblWireless (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%, \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', %iut%, \'%syslogtag%\')",SQL $template firewall,"insert into tblFirewalls (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%, \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', %iut%, \'%syslogtag%\')",SQL $template vmware,"insert into tblVMware (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values (\'%msg%\', %syslogfacility%, \'%HOSTNAME%\', %syslogpriority%, \'%timereported:::date-mysql%\', \'%timegenerated:::date-mysql%\', %iut%, \'%syslogtag%\')",SQL if ($source contains 'switch_') then :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;switches if ($source contains 'wap_') then :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;wireless if ($source contains 'firewall_') then :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;firewall if ($source contains 'esxi_') then :ommysql:127.0.0.1,Syslog,rsyslog,myPassword;vmware *.* :ommysql:localhost,Syslog,rsyslog,myPassword Thanks! _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
