>
>>> Another change concerns the 'continue' parameter of rules -- it now
>>> accepts GoTo <label> for its value. Also, goto labels can be set up with
>>> the 'label' keyword in configuration files.
>
> Is the label scoped to a single file, or can I put a label in a
> different file and have it continue in the different file?
>
GoTo works inside one file only, largely for reasons of clarity and
easier loop detection. In order to go from one rule file to another
fileset, the Jump rule must be used. Filesets are formed with the
Options rule, each set contains one or more rule files, and by default
the rule files are used for matching data that come from Jump rules
only. This allows for building hierarchical rulesets, e.g.:
main.conf -> sshd.conf -> logins.conf
| |--> faults.conf
|--> httpd.conf
|--> ntpd.conf,ftpd.conf,cron.conf
In this example, main.conf is the only file that is used for matching
all input, and it's only task is to classify messages by applying fairly
simple patterns and redirecting them to appropriate rule sets. There
could be 5 rule sets here: sshd = {sshd.conf}, httpd = {httpd.conf},
sshdlogins = {logins.conf}, sshdfaults={faults.conf}, other =
{ntpd.conf,ftpd.conf,cron.conf}. Files from each set are used virtually
in parallel, the application order is determined by the rule file
loading order (files are added to sets during the configuration load).
In addition, each Jump rule could direct message to more than one set.
The latter feature allows one to set up a fixed processing order for
rule files, if desired (the man page contains a simple example). If Jump
has no sets given, it essentially becomes a fast conditional goto
operator for the current rule file.
I think that the current features for setting up rule file hierarchies
explicitly add a lot of power, make event matching process consume much
less resources, and make the configurations much more easy to follow.
Since in the past there was only one layer of rule files, and all these
files were used for matching all input, some clever tricks had to be
used for making rule matching more CPU efficient. With the current
approach one can handle these issues with much less hassle.
br,
risto
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
