[rsyslog] Duplicate entries
Stephen Carville
stephen.carville at gmail.com
Tue May 27 01:02:39 CEST 2008
On Sun, May 25, 2008 at 11:18 PM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:
> Hi Stephen,
>
> If I understand you right, there was nothing wrong with rsyslog. You
> instructed it to forward authpriv.none message to the remote host:
>
>> *.info;mail.none;authpriv.none;cron.none @@scacisys01
>
> And you also instructed it to also forward all authpriv messages to the
> same host:
>
>> authpriv.* @@scacisys01
>
> That, of course, leads to authpriv.none message to be forwarded twice -
> once by the first rule and another time by the second.
Doesn't authpriv.none mean send no authpriv messages? Since it is is
after the *.info it should take precedence. At least thats how I
understand the syslog rules to work.
In any case, I understand what I did wrong. I had *.info in one rule
and auth.* in another creating an overlap.
> Please note that rule execution is serially. There is no interdependency
> between rules. If a rule matches, the action is carried out. This is
> context-free. Rsyslog doesn't care if another rule has the same action.
> In this sample, it may be useful you did not intend what you configured,
> but in most cases it would be hard to tell what your real intension
> would be. So rather than trying the figure out the users intension,
> rsyslog simply carries out what is configured ;)
>
> The bottom line to keep in mind is that each rule is a separate unit of
> execution.
I cannot see any downside to putting them all on the same connection
so I'll leave it that way FTTB.
Thank your for you help
--
Stephen Carville
More information about the rsyslog
mailing list