duplicate omfile logging

General discussions here

Moderator: rgerhards

Google Ads


duplicate omfile logging

Postby bramuno » Fri Mar 24, 2017 6:48 pm

Hello, I am hoping someone has seen this issue and can help me. I have noticed that my rsyslog installation is working, but it's sorting everything twice. I have a lot of rules to sort specific hostnames or $msg strings to particular folders and this is working fine. However, the default rule at the end is in effect for anything the previous rules did not catch.

The default rule should rarely be used but, for some reason, every single log entry received is being sorted by the default rule after it's already been sorted by the matching rule located above the default rule.

Code: Select all
# first rule
*.* if $fromhost-ip != "x.x.x.26" and $msg contains "NetScreen"
    then
{
        if $msg contains "traffic" or $msg contains "system-notification-00257"
                then action(type="omfile" DynaFile="netscreenTraffic")
        else
                then
                action(type="omfile" DynaFile="netscreenEvents")
}
#####  lots of rules between
else
        then action(type="omfile" DynaFile="default")



with the above rules, netscreen syslogs should get caught by the first rule and sent to the netscreen folder (omfile), which it does. However, the default action is also triggered and a log entry is created in the default folder omfile. sadly it's filling up my disk space so I am hoping someone may have a suggestion. any help is appreciated, thanks :)
bramuno
New
 
Posts: 1
Joined: Fri Mar 24, 2017 6:37 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: duplicate omfile logging

Postby dlang » Fri Mar 24, 2017 6:56 pm

working as designed :-)

matching one rule doesn't mean that other rules can't also match.

If you want to stop processing the log message after you do something with it, use the stop action inside the same {} block to tell rsyslog that you don't want it to consider any of the rules past this point.
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Google Ads



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests

cron