On Wed, 24 Feb 2021, odrzen wrote:
I am more wondering to understand what is the right way and why to use
rulestes, actions or quests and especially in this case to send particular log
files to a central rsyslog.
There are a few reasons to use a ruleset
1. when you have an input (say a network port) that is very different than other
inputs and you only want to have a subset of the rules processed for logs that
arrive on this input
2. a varient of #1, if you want to make sure that logs arriving from one input
cannot be blocked if the queue builds up processing other inputs, you configure
as #1 and add a queue to the ruleset
3. if you want to put a queue on a group of actions, say sending to one of a
couple different destinations (failover), if you put a queue on each action, it
will 'succeed' by putting the message in the queue, even if it's not sent. But
you can put a queue on the ruleset to buffer things at that level, then have
actions that don't have a queue and can fail (which you can detect)
4. avoiding duplicate writers to one destination. If you are writing to the same
file/sending to the same remote machine and have 10 different actions in your
rule that all have the same output, they will all be trying to output at the
same time (opening multiple connections to remote systems), if you put the
action in a ruleset and call it from all of those destinations, you ony have one
connection
5. making the ruleset easier to understand. Just like functions in programming
languages, it may be easier to understand a config file that calls rulesets that
hide the details rather than having all the statements inline.
David Lang
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
