[rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
Here is some pseducode based off of another recent thread: ruleset(name="remote-rules"){ action( ... ) action( ... ) stop } input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules") input(type="imptcp" port="1514" address="127.0.0.1" ruleset="remote-rules") I see here that the stop directive is used as the last item within that ruleset. Is that necessary? I had the idea (evidently mistaken) that when you assign a ruleset to an input that only that ruleset would be applied to messages arriving on that input. Is the stop directive necessary here? ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
It's implicit, AFAIK On 11/07/17 07:48, deoren wrote: Here is some pseducode based off of another recent thread: ruleset(name="remote-rules"){ action( ... ) action( ... ) stop } input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules") input(type="imptcp" port="1514" address="127.0.0.1" ruleset="remote-rules") I see here that the stop directive is used as the last item within that ruleset. Is that necessary? I had the idea (evidently mistaken) that when you assign a ruleset to an input that only that ruleset would be applied to messages arriving on that input. Is the stop directive necessary here? ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
yup ... for this case. Processing stops when there is .. no more processing to do. Usually, this means end of ruleset. But if the ruleset is called from another ruleset, processing will go back to the caller if there is no stop statement. In the given config, this is not the case. HTH Rainer 2017-07-11 8:33 GMT+02:00 mostolog--- via rsyslog : > It's implicit, AFAIK > > > > On 11/07/17 07:48, deoren wrote: >> >> Here is some pseducode based off of another recent thread: >> >> ruleset(name="remote-rules"){ >> action( >> ... >> ) >> action( >> ... >> ) >> stop >> } >> >> input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules") >> input(type="imptcp" port="1514" address="127.0.0.1" >> ruleset="remote-rules") >> >> I see here that the stop directive is used as the last item within that >> ruleset. Is that necessary? I had the idea (evidently mistaken) that when >> you assign a ruleset to an input that only that ruleset would be applied to >> messages arriving on that input. >> >> Is the stop directive necessary here? >> >> ___ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. > > > ___ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
On 7/11/17 2:47 AM, Rainer Gerhards wrote: yup ... for this case. Processing stops when there is .. no more processing to do. Usually, this means end of ruleset. But if the ruleset is called from another ruleset, processing will go back to the caller if there is no stop statement. In the given config, this is not the case. HTH Rainer I have a ruleset attached only to remote inputs and was under the impression that would be the only way those rules would execute (assuming I don't call the ruleset directly). Thank you for confirming that is the case. :) Is there any penalty for explicitly using the stop directive? Just curious. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: [rsyslog] If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?
On 7/11/17 1:33 AM, mostolog--- via rsyslog wrote: It's implicit, AFAIK On 11/07/17 07:48, deoren wrote: Here is some pseducode based off of another recent thread: ruleset(name="remote-rules"){ action( ... ) action( ... ) stop } input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules") input(type="imptcp" port="1514" address="127.0.0.1" ruleset="remote-rules") I see here that the stop directive is used as the last item within that ruleset. Is that necessary? I had the idea (evidently mistaken) that when you assign a ruleset to an input that only that ruleset would be applied to messages arriving on that input. Is the stop directive necessary here? Thanks for confirming. I wasn't sure if there was some sort of fall-through behavior I wasn't aware of. ___ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.