[rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
Here is some pseducode based off of another recent thread:
ruleset(name="remote-rules"){
action(
...
)
action(
...
)
stop
}
input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules")
input(type="imptcp" port="1514" address="127.0.0.1" ruleset="remote-rules")
I see here that the stop directive is used as the last item within that
ruleset. Is that necessary? I had the idea (evidently mistaken) that
when you assign a ruleset to an input that only that ruleset would be
applied to messages arriving on that input.
Is the stop directive necessary here?
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
It's implicit, AFAIK
On 11/07/17 07:48, deoren wrote:
Here is some pseducode based off of another recent thread:
ruleset(name="remote-rules"){
action(
...
)
action(
...
)
stop
}
input(type="imudp" port="1514" address="127.0.0.1"
ruleset="remote-rules")
input(type="imptcp" port="1514" address="127.0.0.1"
ruleset="remote-rules")
I see here that the stop directive is used as the last item within
that ruleset. Is that necessary? I had the idea (evidently mistaken)
that when you assign a ruleset to an input that only that ruleset
would be applied to messages arriving on that input.
Is the stop directive necessary here?
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
yup ... for this case. Processing stops when there is .. no more
processing to do. Usually, this means end of ruleset. But if the
ruleset is called from another ruleset, processing will go back to the
caller if there is no stop statement. In the given config, this is not
the case.
HTH
Rainer
2017-07-11 8:33 GMT+02:00 mostolog--- via rsyslog :
> It's implicit, AFAIK
>
>
>
> On 11/07/17 07:48, deoren wrote:
>>
>> Here is some pseducode based off of another recent thread:
>>
>> ruleset(name="remote-rules"){
>> action(
>> ...
>> )
>> action(
>> ...
>> )
>> stop
>> }
>>
>> input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules")
>> input(type="imptcp" port="1514" address="127.0.0.1"
>> ruleset="remote-rules")
>>
>> I see here that the stop directive is used as the last item within that
>> ruleset. Is that necessary? I had the idea (evidently mistaken) that when
>> you assign a ruleset to an input that only that ruleset would be applied to
>> messages arriving on that input.
>>
>> Is the stop directive necessary here?
>>
>> ___
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
>
>
> ___
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
On 7/11/17 2:47 AM, Rainer Gerhards wrote: yup ... for this case. Processing stops when there is .. no more processing to do. Usually, this means end of ruleset. But if the ruleset is called from another ruleset, processing will go back to the caller if there is no stop statement. In the given config, this is not the case. HTH Rainer I have a ruleset attached only to remote inputs and was under the impression that would be the only way those rules would execute (assuming I don't call the ruleset directly). Thank you for confirming that is the case. :) Is there any penalty for explicitly using the stop directive? Just curious. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
On 7/11/17 1:33 AM, mostolog--- via rsyslog wrote:
It's implicit, AFAIK
On 11/07/17 07:48, deoren wrote:
Here is some pseducode based off of another recent thread:
ruleset(name="remote-rules"){
action(
...
)
action(
...
)
stop
}
input(type="imudp" port="1514" address="127.0.0.1"
ruleset="remote-rules")
input(type="imptcp" port="1514" address="127.0.0.1"
ruleset="remote-rules")
I see here that the stop directive is used as the last item within
that ruleset. Is that necessary? I had the idea (evidently mistaken)
that when you assign a ruleset to an input that only that ruleset
would be applied to messages arriving on that input.
Is the stop directive necessary here?
Thanks for confirming. I wasn't sure if there was some sort of
fall-through behavior I wasn't aware of.
___
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
