On Mon, 19 Jan 2015, Brett Delle Grazie wrote:
On 19 January 2015 at 17:23, David Lang <[email protected]> wrote:
On Mon, 19 Jan 2015, Tait Clarridge wrote:
On Mon, Jan 19, 2015 at 9:03 AM, Brett Delle Grazie
<[email protected]> wrote:
Hi,
Is it possible to bind e.g. TCP input to multiple rule sets - so that two
copies of the output are generated?
For example:
$InputUDPServerBindRuleset local-file
$InputUDPServerBindRuleset remote-es
Where 'local-file' goes to local file system and 'remote-es' goes to
Elastic Search?
Hi Brett,
You could have one ruleset with multiple destinations. Where the
destination entries for local-file and remote-es are under a single
ruleset. Each can have its own formatting rules/templates etc.
Thanks Tait!
you can also call one ruleset from inside another one.
but you cannot bind two rulesets to one input (after all, what should
rsyslog do, run one and then the other, if so which one? or run them in
parallel, or ???)
using the old syntax like you are, the second declaration will override
the first. This is one of the places where the new syntax makes it much
clearer what's going on.
David Lang
Hi David,
What I've done instead is to specify multiple actions for the same rule set
using the newer syntax which is indeed _much_ cleaner.
The only reasons to have rulesets call other rulesets are:
1. you have some rules that are different and some rules that are the same and
don't want to duplicate the rules.
2. you have multiple rulesets that you want to output the the same destination
where the destination doesn't support concurrent writes (writing to a file, or a
database that allows limited connections.
3. If you have different people managing different parts of the rules, you can
define rulesets in include files and have the different groups manage their part
of the rules (watch out for drop rules)
4. if the rules are logically separate, you may want to use rulesets to group
them, but there is a cost to using multiple rulesets, so this is somewhat
questionable.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
