ruleset (name=“from_input”) {
call write_to_file
call to_central_siem
call to_separate_file
}
If I understand the internals, each call is essentially a “duplicated fork”
that will operate independently of each other. It’s in the documentation
somewhere, but using the call mechanism is correct.
Regards,
> On Jan 19, 2021, at 09:48, Matthias Sitte via rsyslog
> <[email protected]> wrote:
>
> Hi there,
>
> I am looking into the following configuration but a bit unsure about some
> implementation details...
>
> Several originators send syslog messages to a rsyslog relay which shall do
> the following tasks:
>
> 1) Write every log message to separate files based on hostnames.
>
> 2) Apply a few filters and send remaining syslog messages to central SIEM
> solution.
>
> 3) In parallel to 2) apply a different set of filters (not necessarily a
> superset) and write remaining syslog messages to a separate file for realtime
> monitoring. (I'll just tail this one.)
>
> Concatenating steps 2 and 3 within a single ruleset is straightforward but
> only works under the assumption that the filters applied in 2 are a subset of
> the filters applied in 3.
>
> This brings me to my questions: Is there a way to process a single syslog
> messages in multiple rulesets (action chains) in parallel without affecting
> each other? Is "call()" the right way to go, like use "call rs_siem; call
> rs_rtmon" inside a ruleset rs_main?
>
> If that isn't possible what would be the best alternative to achieve this?
> From the top of my head I could think about sending each message twice for
> the two rulesets rs_siem and rs_rtmon...
>
> Best,
> Matthias
>
> PS: Apologies if this question has been asked and answered on the mailinglist
> but I didn't manage to find it. Please simply point to the email thread so I
> can digest the info from there.
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
