Sorry I was wrong. ruleset is available in imfile. I am acheiving my goal
as shown below. Please give you valuable comments.
main_queue(
queue.dequeueBatchSize="4000"
queue.workerthreads="2"
queue.size="2000000"
)
module(load="imfile" PollingInterval="30" )
input(type="imfile" ruleset="flows"
File="/opt/parser/flows/aggregated_flows.csv"
Tag=""
)
ruleset(name="flows"){
action(type="omfwd" target="127.0.0.1" port="5172" protocol="tcp"
name="flows-queue" template="msgonly" queue.size="1000000"
# queue.filename="forwarding" queue.maxdiskspace="1g"
queue.highwatermark="900000" queue.lowwatermark= "500000"
queue.dequeuebatchsize="2000" queue.dequeueslowdown="1000000"
queue.workerthreads="2" queue.type="LinkedList" )
stop
}
input(type="imtcp" port="514" ruleset="events")
ruleset(name="events"){
action(type="omfwd" target="127.0.0.1" port="5170" protocol="tcp"
name="events-queue" template="msgonly" queue.size="1000000"
# queue.filename="forwarding" queue.maxdiskspace="1g"
queue.highwatermark="900000" queue.lowwatermark= "500000"
queue.dequeuebatchsize="2000" queue.dequeueslowdown="1000000"
queue.workerthreads="2" queue.type="LinkedList" )
stop
}
Please answer some queries.
1- Flows taking from csv file also first go to main queue and then come to
respective action queue?
2- Is there any better way?
Thanks
On Mon, Dec 28, 2015 at 2:09 PM, Muhammad Asif <[email protected]> wrote:
> Hi David,
>
> As you know ruleset is not available in imfile module then what is the
> best way to deal with logs processing from file and receiving on tcp port
> 514 differently and avoid being written in any file even not syslog.
>
> Thanks
>
> On Mon, Dec 28, 2015 at 12:57 PM, David Lang <[email protected]> wrote:
>
>> yes, you can use stop as many times as you want.
>>
>> David Lang
>>
>> On Mon, 28 Dec 2015, Muhammad Asif wrote:
>>
>> Date: Mon, 28 Dec 2015 11:19:49 +0500
>>> From: Muhammad Asif <[email protected]>
>>> Reply-To: rsyslog-users <[email protected]>
>>> To: rsyslog-users <[email protected]>
>>> Subject: [rsyslog] Can I use multiple stop in filters
>>>
>>>
>>> Hi geeks,
>>>
>>> Can I use "stop" (To avoid writing in syslog file) in multiple filters
>>> like
>>> this.
>>>
>>> input(type="imptcp" port="514" ruleset="events");
>>>
>>>
>>>
>>> ruleset(name="events"){
>>> action(type="omfwd" target="127.0.0.1" port="5170" protocol="tcp"
>>> name="events-queue" )
>>>
>>> stop
>>> }
>>>
>>>
>>>
>>> module(load="imfile" PollingInterval="30" ruleset="flows")
>>>
>>> input(type="imfile" File="/opt/parser/flows/aggregated_flows.csv"
>>>
>>> Tag=""
>>>
>>> )
>>>
>>> ruleset(name="flows"){
>>> action(type="omfwd" target="127.0.0.1" port="5172" protocol="tcp"
>>> name="flows-queue")
>>>
>>> stop
>>> }
>>>
>>>
>>> Thanks
>>> _______________________________________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>>>
>>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
