El mar, 19 ene 2021 a las 17:24, John Chivian via rsyslog (<[email protected]>) escribió: > > ruleset (name=“from_input”) { > call write_to_file > call to_central_siem > call to_separate_file > } > > If I understand the internals, each call is essentially a “duplicated fork” > that will operate independently of each other. It’s in the documentation > somewhere, but using the call mechanism is correct.
YES, BUT ... you need to assign a queue to the called ruleset. Else it's synchronous. Rainer > > Regards, > > > > > On Jan 19, 2021, at 09:48, Matthias Sitte via rsyslog > > <[email protected]> wrote: > > > > Hi there, > > > > I am looking into the following configuration but a bit unsure about some > > implementation details... > > > > Several originators send syslog messages to a rsyslog relay which shall do > > the following tasks: > > > > 1) Write every log message to separate files based on hostnames. > > > > 2) Apply a few filters and send remaining syslog messages to central SIEM > > solution. > > > > 3) In parallel to 2) apply a different set of filters (not necessarily a > > superset) and write remaining syslog messages to a separate file for > > realtime monitoring. (I'll just tail this one.) > > > > Concatenating steps 2 and 3 within a single ruleset is straightforward but > > only works under the assumption that the filters applied in 2 are a subset > > of the filters applied in 3. > > > > This brings me to my questions: Is there a way to process a single syslog > > messages in multiple rulesets (action chains) in parallel without affecting > > each other? Is "call()" the right way to go, like use "call rs_siem; call > > rs_rtmon" inside a ruleset rs_main? > > > > If that isn't possible what would be the best alternative to achieve this? > > From the top of my head I could think about sending each message twice for > > the two rulesets rs_siem and rs_rtmon... > > > > Best, > > Matthias > > > > PS: Apologies if this question has been asked and answered on the > > mailinglist but I didn't manage to find it. Please simply point to the > > email thread so I can digest the info from there. > > > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
