Re: [rsyslog] one action queue but with different template per rule

Tue, 23 Oct 2018 01:22:32 -0700 

On Mon, 22 Oct 2018, Prasad Koya via rsyslog wrote:


Hi


We are using rsyslog-7.2.6. Been going through
please update to something the community can support,currently 8.36 (about 5 years of development newer than 7.2) 



We have few rules like below with all of them forwarding to same syslog
server. However, depending upon the contents of source message we'd like to
send different message ie., with different template to syslog server.
Instead of having multiple a thread spawned for each action queue, is there
a way we can invoke same action queue with different template?


if $syslogfacility-text == 'kern' and $msg contains ':PERMIT:' then

  action(name="UcpFw" type="omfwd" Target="192.168.1.102" Port="514"

         Protocol="udp" queue.type="LinkedList" queue.timeoutShutdown="0"
queue.template="IP_PERMIT_REMOTE")


if $syslogfacility-text == 'kern' and $msg contains ':DENY:' then

  action(name="UcpFw" type="omfwd" Target="192.168.1.102" Port="514"

         Protocol="udp" queue.type="LinkedList" queue.timeoutShutdown="0"
queue.template="IP_DENY_REMOTE")


Net effect is that we'd like rsyslogd to spawn one action queue thread to
handle all rules that forward to same syslog server. Is that possible?
instead of putting the queue on each action, group the actions into a ruleset and put the queue on the ruleset, that way all the actions in that ruleset will be handled by one thread. 

The other way to do it is to create a template
$template,foo="$.bar"
and then set $.bar to whatever you want and then you can have a single forward action. 


2.

We are trying to see if we can have idle thread exit if there are no
messages going for some idle period. We tried queue.timeoutShutdown="10000"
but we do not see the thread going away.
Rsyslog will always keep one thread active, that parameter only has an effect when you have had so much load that you have multiple threads spawned. 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to