Re: [rsyslog] Trying to understand use of stop and custom

Sun, 21 Oct 2018 07:49:54 -0700 

Sorry, right now I have only time to post a better link.

https://www.rsyslog.com/doc/v8-stable/configuration/basic_structure.html

In your example stop is applied unconditionally as it is not inside a block
{} structure with a filter.

Rainer


Sent from phone, thus brief.


J Travis Lindsey via rsyslog <[email protected]> schrieb am So.,
21. Okt. 2018, 16:12:

> Hello,
>
> I'm trying to get a better understanding of rsyslog and stop and custom
> files.
>
> I have a rule based on the `basic` format like this:
> ```
> # in /etc/rsyslog.d//00-custom1.conf
> if $fromhost-ip=='192.168.0.1' then /var/log/remote_firewall.log
> stop
> ```
>
> The one benefit that i found of stop is that it prevents the messages i was
> filtering from also showing up in /var/log/syslog. The docs state stop
> <
> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html?highlight=stop
> >
> is to "filter out messages before carrying on any further processing". Is
> "stop" always in the context of the rule preceding it? So basically in my
> example, it just stops the processing of anymore of if
> $fromhost-ip=='192.168.0.1' then /var/log/remote_firewall.log?
>
> Or, maybe in the above case, is the following true?
>
>    1. Any rules in filenames greater than 00 (like 01-custom.conf) will not
>    be honored because of the last "stop
>    <
> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html?highlight=stop
> >"
>    in  00-custom1.conf?
>    2. Any rules after the "stop
>    <
> https://www.rsyslog.com/doc/v8-stable/configuration/actions.html?highlight=stop
> >"
>    line in the 00-custom1.conf file will not be honored?
>
>
> How does the order of files in "rsyslog.d/<0-9>-*.conf" work?
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to