I finally got around to this. So, in my configuration, which is rather simple and doesn't differ from a default one much I do this:
:syslogtag, contains, "postgres" /var/log/postgresql.log &~ *.* /var/log/syslog *.* @@172.16.16.1:2514 I want PostgreSQL logs in a separate file (and only this one file), and to also send them to a remote server for further processing there. However, if i stop processing on the client with the discard command &~, they never get sent to the remote server. After reading documentation (a while ago), I somehow was under impression that rsyslog would process rules in the order of their appearance in a configuration file. So, I naturally tried to move the "*.* @@172.16.16.1:2514" line up and rearranged the order to the effect of this: *.* @@172.16.16.1:2514 :syslogtag, contains, "postgres" /var/log/postgresql.log &~ *.* /var/log/syslog But it still wouldn't work. i would see /var/log/postgresql.log being written to on the client, but nothing arriving to the remote server. If I do away with the &~, messages are logged to /var/log/postgresql.log, /var/log/syslog and are sent to the remote server. Regardless of where I place the "*.* @@172.16.16.1:2514" line, at the top or at the bottom of configuration file. Unless there is some other way, it appears I need to use the an expressions-based filter. I have another question regarding this, however. How does one express the *.* in an expression like this: if $syslogfacility-text == '*.*' and not \ ($syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' \ or $syslogtag contains 'postgres') then /var/log/syslog ? That clearly doesn't work, the *.* part. Ivan On Aug 8, 2014, at 2:38 AM, David Lang <[email protected]> wrote: > On Fri, 8 Aug 2014, Ivan Lezhnjov IV wrote: > >> Just to be clear, is this configuration syntax supported by the legacy v5? >> Because that's all I can use. > > that syntax is v8, you can do it in v5 but it would be a different syntax. > > David Lang > >> Ivan >> >> On Aug 7, 2014, at 10:19 PM, Eugene Istomin <[email protected]> wrote: >> >>> Hello, >>> >>> if by 'directly' you mean just not to write a local text log - >>> >>> >>> if $hostname == $$myhostname and $programname == [ ....] >>> then { >>> call send_log & stop >>> } >>> >>> } >>> >>> ruleset(name="send_log") >>> { >>> action(type="om*" .....) >>> } >>> >>> >>> Of course, this should be written/included before any omfile/other local >>> textlog actions. >>> --- >>> Best regards, >>> Eugene Istomin >>> >>> On Thursday, August 07, 2014 09:16:04 PM Ivan Lezhnjov IV wrote: >>>> Hello, >>>> >>>> I was wondering if it is possible to send messages that are coming in from >>>> text files monitored by imfile directly to a remote server. That is, these >>>> messages must never appear in any syslog log files on the client machine. >>>> >>>> The reason I'm looking for this sort of configuration is because it strikes >>>> me as redundant and utterly superfluous to duplicate other programs' log >>>> file in syslog. >>>> >>>> Ivan >>>> _______________________________________________ >>>> rsyslog mailing list >>>> http://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >>>> LIKE THAT. >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
