Thanks! On Wed, Nov 19, 2014 at 1:59 PM, Rainer Gerhards <[email protected]> wrote:
> Ok then I need to see how I can fiddle that into the grammar ;) > > Sent from phone, thus brief. > Am 19.11.2014 19:56 schrieb "David Lang" <[email protected]>: > > > On Wed, 19 Nov 2014, Rainer Gerhards wrote: > > > > 2014-11-19 16:40 GMT+01:00 Brian Knox <[email protected]>: > >> > >> Ok - perhaps we have accidently conflated two problems: > >>> > >>> 1) An empty ruleset > >>> 2) A ruleset with only "stop" > >>> > >>> this will pass validation: > >>> > >>> ------------------------------------ > >>> ruleset(name="foo") { > >>> stop > >>> } > >>> *.* /var/log/test > >>> call foo > >>> ------------------------------------ > >>> > >>> If the ruleset is empty, however, it will not: > >>> > >>> ------------------------------------ > >>> ruleset(name="foo") { > >>> } > >>> *.* /var/log/test > >>> call foo > >>> ------------------------------------ > >>> > >>> rsyslogd: version 8.5.0, config validation run (level 1), master config > >>> ./test.conf > >>> rsyslogd: error during parsing file ./test.conf, on or before line 2: > >>> syntax error on token '}' [try http://www.rsyslog.com/e/2207 ] > >>> rsyslogd: CONFIG ERROR: could not interpret master config file > >>> './test.conf'. [try http://www.rsyslog.com/e/2207 ] > >>> rsyslogd: run failed with error -2207 (see rsyslog.h or try > >>> http://www.rsyslog.com/e/2207 to learn what that number means) > >>> > >>> > >>> OK, that's a different question. Is the consensus we need to support > >> this > >> as well? > >> > > > > I think so, with a warning reported at startup or something like that. > > > > David Lang > > > > Rainer > >> > >> > >> Brian > >>> > >>> > >>> > >>> On Wed, Nov 19, 2014 at 10:35 AM, Brian Knox <[email protected]> > >>> wrote: > >>> > >>> For verifying the problem I ran rsyslog -N1 -f against just the subset > >>>> of > >>>> the config, if I recall correctly. I believe my coworker had the same > >>>> issue with the full config that definitely had actions in it - but > I'll > >>>> > >>> ask > >>> > >>>> him to reproduce with the full configuration. Thanks! > >>>> > >>>> Brian > >>>> > >>>> On Wed, Nov 19, 2014 at 10:13 AM, Rainer Gerhards < > >>>> [email protected]> wrote: > >>>> > >>>> Brian, > >>>>> > >>>>> I just revisited this problem report. I have now taken a look at the > >>>>> > >>>> code. > >>> > >>>> The error message actually tells you that there is no action inside > the > >>>>> *entire config*, not just an empty ruleset. Can you confirm there was > >>>>> nothing else in the config? If not, can you send me the config, so > that > >>>>> > >>>> I > >>> > >>>> can try to see what's going on. > >>>>> > >>>>> I assume we agree that a totally action-less config is an error ;) > >>>>> > >>>>> Rainer > >>>>> > >>>>> 2014-11-11 22:49 GMT+01:00 Brian Knox <[email protected]>: > >>>>> > >>>>> If was able to use an empty ruleset, a warning resulting from that > >>>>>> > >>>>> wouldn't > >>>>> > >>>>>> bother me at all. > >>>>>> > >>>>>> Brian > >>>>>> > >>>>>> On Tue, Nov 11, 2014 at 4:25 PM, David Lang <[email protected]> wrote: > >>>>>> > >>>>>> On Tue, 11 Nov 2014, Rainer Gerhards wrote: > >>>>>>> > >>>>>>> 2014-11-11 17:22 GMT+01:00 David Lang <[email protected]>: > >>>>>>> > >>>>>>>> > >>>>>>>> On Tue, 11 Nov 2014, Brian Knox wrote: > >>>>>>>> > >>>>>>>>> > >>>>>>>>> Rainer, > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> I agree that an empty ruleset is an oddity. In our case, the > >>>>>>>>>> > >>>>>>>>> short > >>> > >>>> answer > >>>>>>>>>> is that we are generating configurations from templates using > >>>>>>>>>> > >>>>>>>>> chef, > >>> > >>>> and > >>>>>> > >>>>>>> the > >>>>>>>>>> ability to have a ruleset that simply discards would make part > of > >>>>>>>>>> > >>>>>>>>> that > >>>>> > >>>>>> process much simpler for us. > >>>>>>>>>> > >>>>>>>>>> It is admittedly an edge case. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> It's an edge case, but I think it's one that should be > supported > >>>>>>>>> > >>>>>>>> if > >>> > >>>> possible. > >>>>>>>>> > >>>>>>>>> automated config generation is very useful, and being able to > >>>>>>>>> > >>>>>>>> group > >>> > >>>> rules > >>>>>> > >>>>>>> into rulesets and call them with the calling function not having > >>>>>>>>> > >>>>>>>> any > >>> > >>>> idea > >>>>>> > >>>>>>> of what is going to happen with the logs at that point is very > >>>>>>>>> > >>>>>>>> useful, > >>>>> > >>>>>> being able to have a high level config split the logs up and call > >>>>>>>>> different > >>>>>>>>> rulesets on different logs without having to worry if the ruleset > >>>>>>>>> > >>>>>>>> does > >>>>> > >>>>>> something with the logs or just throws them away is _very_ useful. > >>>>>>>>> > >>>>>>>>> So it is a corner case, but I think it's a valuable one to > >>>>>>>>> > >>>>>>>> support. > >>> > >>>> > >>>>>>>>> > >>>>>>>>> ack > >>>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> I would suggest that at config load time, that this is an odd > >>>>>>>> > >>>>>>> enough > >>> > >>>> corner case that it's worth logging a "ruleset X can't do anything > >>>>>>>>> > >>>>>>>> with > >>>>> > >>>>>> the > >>>>>>>>> logs" message, not just for the case where the only action is to > >>>>>>>>> > >>>>>>>> throw > >>>>> > >>>>>> it > >>>>>> > >>>>>>> away, but also for the cases where the conditions in a ruleset > >>>>>>>>> > >>>>>>>> cannot > >>>>> > >>>>>> possibly match any log message (if priority = info then *.crit > >>>>>>>>> > >>>>>>>> also > >>> > >>>> cannot > >>>>>>>>> match anything for example) > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Let's start with what we have on the table. I think it is best > to > >>>>>>>>> > >>>>>>>> add > >>>>> > >>>>>> a > >>>>>> > >>>>>>> ruleset parameter "permitEmpty=on". That way, we don't generate > >>>>>>>> error/warning messages when the user is aware of what he is doing. > >>>>>>>> > >>>>>>> In > >>> > >>>> any > >>>>>> > >>>>>>> manual case (without config gen), I'd still say that's an error > >>>>>>>> indication. > >>>>>>>> > >>>>>>>> > >>>>>>> I think that this is a sufficently corner case that I'm not sure > >>>>>>> > >>>>>> it's > >>> > >>>> worth the extra complexity to silence the warning. I think that > >>>>>>> > >>>>>> people > >>> > >>>> who > >>>>>> > >>>>>>> do this intentionally can just ignore the log message. > >>>>>>> > >>>>>>> On the topic of no filter matches. That's quite complex, as you > >>>>>>> > >>>>>> would > >>> > >>>> need > >>>>>> > >>>>>>> to evaluate all the filters and possible conditions. Not sure if it > >>>>>>>> > >>>>>>> can > >>>>> > >>>>>> even reliably done. Am I overlooking something? > >>>>>>>> > >>>>>>>> > >>>>>>> I am not saying that it should try to catch every possible case, > >>>>>>> > >>>>>> but I > >>> > >>>> was > >>>>>> > >>>>>>> thinking that the configuration optimization step would "optomize > >>>>>>> > >>>>>> away" > >>>>> > >>>>>> some impossible combinations, and that could result in an empty > >>>>>>> > >>>>>> ruleset. > >>>>> > >>>>>> > >>>>>>> David Lang > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> rsyslog mailing list > >>>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>>> http://www.rsyslog.com/professional-services/ > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>>>> > >>>>>> myriad > >>>>> > >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > >>>>>>> > >>>>>> you > >>> > >>>> DON'T LIKE THAT. > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>> rsyslog mailing list > >>>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> http://www.rsyslog.com/professional-services/ > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>>> > >>>>> myriad > >>> > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>>>> DON'T LIKE THAT. > >>>>>> > >>>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com/professional-services/ > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>> myriad > >>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > you > >>>>> DON'T LIKE THAT. > >>>>> > >>>>> > >>>> > >>>> _______________________________________________ > >>> rsyslog mailing list > >>> http://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>> DON'T LIKE THAT. > >>> > >>> _______________________________________________ > >> rsyslog mailing list > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > >> http://www.rsyslog.com/professional-services/ > >> What's up with rsyslog? Follow https://twitter.com/rgerhards > >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >> > >> _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
