MK
On 3.11.2022 13:05, Rainer Gerhards wrote:
It's complicated. This may be a bug. I tend to say it is, although some may argue the man page text does not cover this specific case. Anyhow, this was not introduced into rsyslog, but into sysklogd. My earliest commit is from 2004, with a little bit of non-git history before. I can't find the original sysklogd source any longer, but I am totally sure we did not touch this part of the code in the early 2000's (we were focussed on database writing). Have a look at the original code, and head to line 2512. It's (minus cosmetic utility function changes) the same code as it is today. https://github.com/rsyslog/rsyslog/commit/05f2f1839c2712ca77e86aa679dc909d051fc23b?diff=unified#diff-9d04cb1c9964eae767720b1cfc19111074b0fe23e22416d8594872c49737a304R2512 Even more so, the man page text also stems directly back to sysklogd, without any alteration in wording. How to go forward? Of course I can fix this "bug", but that would probably cause a loooot of grief with long-existing configs. So I would tend to say it is a doc bug so let's fix the doc and be done. Any comments? David Lang maybe? Rainer El jue, 3 nov 2022 a las 10:26, Rainer Gerhards (<[email protected]>) escribió:In any case, if it is a bug, fixing it is hard for compatibility reasons. The code has not been touched for a very long time. https://github.com/rsyslog/rsyslog/blame/master/runtime/conf.c#L356 Rainer El jue, 3 nov 2022 a las 10:08, Rainer Gerhards (<[email protected]>) escribió:maybe I have not fully understood the original question. Will try later today ;-) However, that part of the code that parses the selectors is actually still the same we inherited from syslogd ~20 years ago. Of course, I can't outrule we made some changes, but I honestly don't think so. Rainer El jue, 3 nov 2022 a las 9:23, Mariusz Kruk via rsyslog (<[email protected]>) escribió:I'm not saying that behaviour is wrong but I'd interpret the wording in the docs as Gordon intended. https://www.rsyslog.com/doc/v8-stable/configuration/filters.html "Multiple selectors may be specified for a single action using the semicolon (“;’’) separator. Remember that each selector in the selector field is capable to overwrite the preceding ones. Using this behavior you can exclude some priorities from the pattern." (as a side note - "capable" connects with "of *ing", so should be rather used as "capable of overwriting" but that's not the point ;-)). I'd intepret that passage as "if you add multiple selectors with semilcolons, the latter ones overwrite the former" so I'd expect it to work as Gordon did. It might need rewording if it works differently. MK On 2.11.2022 20:18, Rainer Gerhards via rsyslog wrote:Info is higher severity than debug, so it validly matches. Sent from phone, thus brief. David Lang via rsyslog <[email protected]> schrieb am Mi., 2. Nov. 2022, 20:10:not that I expect this to fix it (this isn't something I've seen as a known bug), but could you please confirm that this still happens on the current version of rsyslog? David Lang On Wed, 2 Nov 2022, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog wrote:Date: Wed, 2 Nov 2022 19:01:22 -0000 From: "Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog" <[email protected]> Reply-To: Gordon Marler <[email protected]>, rsyslog-users <[email protected]> To: [email protected] Cc: "Gordon Marler (BLOOMBERG/ 120 PARK)" <[email protected]> Subject: Re: [rsyslog] Reducing selector effect in RainerScript I've stripped down my config to just this rule, and tried with andwithout the stop directive - after restarting rsyslogd, of course - no change.Also happens on the rsyslogd versions delivered with Solaris 11.4, RHEL7.x and RHEL 8.x, which all hover around the 8.210x versionFrom: [email protected] At: 11/02/22 03:45:01 UTC-4:00To:[email protected]Cc: [email protected] Subject: Re: [rsyslog] Reducing selector effect in RainerScript Generally, your config should work the way you indended. It's hard to say however if other entries in your config don't cause any side effects. You could add a "stop" directive to make sure that events matching your selector won't be processed further. Like: *.debug;local6.err { action( type="omfile" file="/what/ever/file") stop } On 2.11.2022 01:26, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslogwrote:I'm porting some configurations from syslog to rsyslog, and seeing someunexpected selector behavior in rsyslog 8.2104After reading the selector examples from the configuration portion ofthersyslog manual, I'm either misunderstanding how this is supposed towork, orthere's a long standing issue here.So, the original selector looks like this: *.debug;local6.err The intent is to log all facilities at debug or higher, except forlocal6,which should only log at err or higher. So I end up with a RainerScriptblocklike so:*.debug;local6.err { action( type="omfile" file="/what/ever/file") } But, I start to see messages at local6.info show up in the file,surprisingly.To get the desired end effect, I end up having to craft the selectorlike so(which only works because only local6.info is chatty, nothing higherthanthat), which surprises me:*.debug;local6.err;local6.!=info So, am I simply doing this wrong/misunderstanding how selectors work,or isthere something odd going on?_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by amyriad ofsites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if youDON'T LIKETHAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriadofsites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if youDON'T LIKETHAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriadof sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT._______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
