Ok - perhaps we have accidently conflated two problems: 1) An empty ruleset 2) A ruleset with only "stop"
this will pass validation: ------------------------------------ ruleset(name="foo") { stop } *.* /var/log/test call foo ------------------------------------ If the ruleset is empty, however, it will not: ------------------------------------ ruleset(name="foo") { } *.* /var/log/test call foo ------------------------------------ rsyslogd: version 8.5.0, config validation run (level 1), master config ./test.conf rsyslogd: error during parsing file ./test.conf, on or before line 2: syntax error on token '}' [try http://www.rsyslog.com/e/2207 ] rsyslogd: CONFIG ERROR: could not interpret master config file './test.conf'. [try http://www.rsyslog.com/e/2207 ] rsyslogd: run failed with error -2207 (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number means) Brian On Wed, Nov 19, 2014 at 10:35 AM, Brian Knox <bk...@digitalocean.com> wrote: > For verifying the problem I ran rsyslog -N1 -f against just the subset of > the config, if I recall correctly. I believe my coworker had the same > issue with the full config that definitely had actions in it - but I'll ask > him to reproduce with the full configuration. Thanks! > > Brian > > On Wed, Nov 19, 2014 at 10:13 AM, Rainer Gerhards < > rgerha...@hq.adiscon.com> wrote: > >> Brian, >> >> I just revisited this problem report. I have now taken a look at the code. >> The error message actually tells you that there is no action inside the >> *entire config*, not just an empty ruleset. Can you confirm there was >> nothing else in the config? If not, can you send me the config, so that I >> can try to see what's going on. >> >> I assume we agree that a totally action-less config is an error ;) >> >> Rainer >> >> 2014-11-11 22:49 GMT+01:00 Brian Knox <bk...@digitalocean.com>: >> >> > If was able to use an empty ruleset, a warning resulting from that >> wouldn't >> > bother me at all. >> > >> > Brian >> > >> > On Tue, Nov 11, 2014 at 4:25 PM, David Lang <da...@lang.hm> wrote: >> > >> > > On Tue, 11 Nov 2014, Rainer Gerhards wrote: >> > > >> > > 2014-11-11 17:22 GMT+01:00 David Lang <da...@lang.hm>: >> > >> >> > >> On Tue, 11 Nov 2014, Brian Knox wrote: >> > >>> >> > >>> Rainer, >> > >>> >> > >>>> >> > >>>> I agree that an empty ruleset is an oddity. In our case, the short >> > >>>> answer >> > >>>> is that we are generating configurations from templates using chef, >> > and >> > >>>> the >> > >>>> ability to have a ruleset that simply discards would make part of >> that >> > >>>> process much simpler for us. >> > >>>> >> > >>>> It is admittedly an edge case. >> > >>>> >> > >>>> >> > >>> It's an edge case, but I think it's one that should be supported if >> > >>> possible. >> > >>> >> > >>> automated config generation is very useful, and being able to group >> > rules >> > >>> into rulesets and call them with the calling function not having any >> > idea >> > >>> of what is going to happen with the logs at that point is very >> useful, >> > >>> being able to have a high level config split the logs up and call >> > >>> different >> > >>> rulesets on different logs without having to worry if the ruleset >> does >> > >>> something with the logs or just throws them away is _very_ useful. >> > >>> >> > >>> So it is a corner case, but I think it's a valuable one to support. >> > >>> >> > >>> >> > >>> ack >> > >> >> > >> >> > >> I would suggest that at config load time, that this is an odd enough >> > >>> corner case that it's worth logging a "ruleset X can't do anything >> with >> > >>> the >> > >>> logs" message, not just for the case where the only action is to >> throw >> > it >> > >>> away, but also for the cases where the conditions in a ruleset >> cannot >> > >>> possibly match any log message (if priority = info then *.crit also >> > >>> cannot >> > >>> match anything for example) >> > >>> >> > >>> >> > >>> Let's start with what we have on the table. I think it is best to >> add >> > a >> > >> ruleset parameter "permitEmpty=on". That way, we don't generate >> > >> error/warning messages when the user is aware of what he is doing. In >> > any >> > >> manual case (without config gen), I'd still say that's an error >> > >> indication. >> > >> >> > > >> > > I think that this is a sufficently corner case that I'm not sure it's >> > > worth the extra complexity to silence the warning. I think that people >> > who >> > > do this intentionally can just ignore the log message. >> > > >> > > On the topic of no filter matches. That's quite complex, as you would >> > need >> > >> to evaluate all the filters and possible conditions. Not sure if it >> can >> > >> even reliably done. Am I overlooking something? >> > >> >> > > >> > > I am not saying that it should try to catch every possible case, but I >> > was >> > > thinking that the configuration optimization step would "optomize >> away" >> > > some impossible combinations, and that could result in an empty >> ruleset. >> > > >> > > David Lang >> > > >> > > _______________________________________________ >> > > rsyslog mailing list >> > > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > > http://www.rsyslog.com/professional-services/ >> > > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad >> > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> > > DON'T LIKE THAT. >> > > >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> > DON'T LIKE THAT. >> > >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.