On 19 January 2015 at 21:58, David Lang <[email protected]> wrote: > On Mon, 19 Jan 2015, Brett Delle Grazie wrote: > > On 19 January 2015 at 17:23, David Lang <[email protected]> wrote: >> >> On Mon, 19 Jan 2015, Tait Clarridge wrote: >>> >>> On Mon, Jan 19, 2015 at 9:03 AM, Brett Delle Grazie >>> >>>> <[email protected]> wrote: >>>> >>>> Hi, >>>>> >>>>> Is it possible to bind e.g. TCP input to multiple rule sets - so that >>>>> two >>>>> copies of the output are generated? >>>>> >>>>> For example: >>>>> $InputUDPServerBindRuleset local-file >>>>> $InputUDPServerBindRuleset remote-es >>>>> >>>>> Where 'local-file' goes to local file system and 'remote-es' goes to >>>>> Elastic Search? >>>>> >>>>> Hi Brett, >>>>> >>>> >>>> You could have one ruleset with multiple destinations. Where the >>>> destination entries for local-file and remote-es are under a single >>>> ruleset. Each can have its own formatting rules/templates etc. >>>> >>>> >>> Thanks Tait! >>> >> >> >> you can also call one ruleset from inside another one. >>> >>> but you cannot bind two rulesets to one input (after all, what should >>> rsyslog do, run one and then the other, if so which one? or run them in >>> parallel, or ???) >>> >>> using the old syntax like you are, the second declaration will override >>> the first. This is one of the places where the new syntax makes it much >>> clearer what's going on. >>> >>> David Lang >>> >> >> >> Hi David, >> >> What I've done instead is to specify multiple actions for the same rule >> set >> using the newer syntax which is indeed _much_ cleaner. >> > > The only reasons to have rulesets call other rulesets are: > > 1. you have some rules that are different and some rules that are the same > and don't want to duplicate the rules. > > 2. you have multiple rulesets that you want to output the the same > destination where the destination doesn't support concurrent writes > (writing to a file, or a database that allows limited connections. > > 3. If you have different people managing different parts of the rules, you > can define rulesets in include files and have the different groups manage > their part of the rules (watch out for drop rules) > > 4. if the rules are logically separate, you may want to use rulesets to > group them, but there is a cost to using multiple rulesets, so this is > somewhat questionable.
Hi David, None of those conditions really apply. I'm simply saving the messages to local files in RFC5424 format (for permanent independent storage) and then sending them on to Elastic Search for indexing. Thanks for the information however. Cheers, Brett > > > David Lang > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
