Ok, there are two parts to the ruleset
1. the definition of the ruleset
2. sending traffic to the ruleset
When you define a ruleset, you include all actions that are taken as part of
that ruleset definition (and thus an empty ruleset is meaningless)
Once a ruleset is defined, then you can have multiple things send traffic to
that ruleset.
Rsyslog can be configured so that all traffic that arrives via a given input is
sent to the rulest (and this can be done to multiple inputs)
Rsyslog can be configured to call a ruleset vi any of the normally available
conditional tests.
Because of the multiple ways to deliver messages to a ruleset, those ways must
be defined all over the place, at the point where something needs to be done to
the message.
But the definition of what a ruleset means goes just one place.
David Lang
On Mon, 15 Sep 2014, Devin Christensen wrote:
I believe I've figured out my ruleset issue. A ruleset would only parse
correctly if it had at least one action bound to it, e.g.,
ruleset(name="ruleset") {
action(type="omfile" file="/tmp/test")
}
My mistake was trying to bind the action to the ruleset outside of the block.
I expected an action to be bindable to a ruleset the same way an input is,
but
ruleset(name="ruleset")
input(type="imptcp" Port="4414" ruleset="ruleset")
action(type="omfile" file="/tmp/test" ruleset="ruleset")
did not work for me. I also tried to bind the input to the ruleset the same
way an action is, for example:
ruleset(name="ruleset") {
input(type="imptcp" Port="4414")
action(type="omfile" file="/tmp/test")
}
This did not work for me either. The separate binding mechanism for inputs
and actions tripped me up. I could only get my ruleset to parse correctly
when I put the action inside of the ruleset block, and the input outside of
it, i.e.,
ruleset(name="ruleset") {
action(type="omfile" file="/tmp/test")
}
input(type="imptcp" Port="4414" ruleset="ruleset")
This is probably expected behavior, but these nuances were not clear to me
from the documentation.
http://www.rsyslog.com/doc/v7-stable/concepts/multi_ruleset.html seems to
indicate that
ruleset(name="ruleset");
should work (without any actions in it), but that was not my experience.
On 09/13/2014 08:07 AM, Rainer Gerhards wrote:
On Sat, Sep 13, 2014 at 3:59 PM, Devin Christensen <
[email protected]> wrote:
I will send when I get to the office. I can tell you the config is parsed
without error when I remove the ruleset, which is why I suspected it was
the issue. Does adding a ruleset trigger a change in how the config is
parsed?
No, but the error message points into some interdependency (as it mentions
the "module" object). So to understand what's going on, more context is
required.
Rainer
On Sep 13, 2014 1:21 AM, Rainer Gerhards <[email protected]> wrote:
Full config pls.
Sent from phone, thus brief.
Am 13.09.2014 02:48 schrieb "Devin Christensen" <
[email protected]>:
I'm getting parsing errors when adding a ruleset to my rsyslog
configuration. Here are all the variations I have tried.
* ruleset(name="rulesetname");
* ruleset(name="rulesetname")
* Ruleset(name="rulesetname")
* Ruleset(Name="rulesetname")
* ruleset(Name="rulesetname")
* ruleset(name="rulesetname") { }
* ruleset(name="rulesetname") {
}
* ruleset(name="rulesetname") {
};
The documentation seems to indicate that at least one of those should
work, not sure what I've overlooked.
I've tried versions 7.6.3 and 7.6.4 of rsyslog. I'm on Ubuntu 12.04.3.
The
error message given is:
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line
27: syntax error on token 'module(' [try http://www.rsyslog.com/e/2207 ]
rsyslogd: CONFIG ERROR: could not interpret master config file
'/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2207 ]
rsyslogd: run failed with error -2207 (see rsyslog.h or try
http://www.rsyslog.com/e/2207 to learn what that number means)
This email message is for the sole use of the intended recipient(s) and
may contain confidential, proprietary and privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If
you
are not the intended recipient, please contact the sender by reply email
and destroy all copies of the original message. If you are the intended
recipient, please be advised that the content of this message is subject
to
access, review and disclosure by the sender's Email System Administrator.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
This email message is for the sole use of the intended recipient(s) and
may contain confidential, proprietary and privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply email
and destroy all copies of the original message. If you are the intended
recipient, please be advised that the content of this message is subject
to
access, review and disclosure by the sender's Email System Administrator.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
