[rsyslog] Duplicate entries

Rainer Gerhards rgerhards at hq.adiscon.com
Tue May 27 10:20:00 CEST 2008 

> -----Original Message-----
> From: rsyslog-bounces at lists.adiscon.com [mailto:rsyslog-
> bounces at lists.adiscon.com] On Behalf Of Stephen Carville
> Sent: Tuesday, May 27, 2008 1:03 AM
> To: rsyslog-users
> Subject: Re: [rsyslog] Duplicate entries
> 
> On Sun, May 25, 2008 at 11:18 PM, Rainer Gerhards
> <rgerhards at hq.adiscon.com> wrote:
> > Hi Stephen,
> >
> > If I understand you right, there was nothing wrong with rsyslog. You
> > instructed it to forward authpriv.none message to the remote host:
> >
> >> *.info;mail.none;authpriv.none;cron.none      @@scacisys01
> >
> > And you also instructed it to also forward all authpriv messages to
> the
> > same host:
> >
> >> authpriv.*                             @@scacisys01
> >
> > That, of course, leads to authpriv.none message to be forwarded
twice
> -
> > once by the first rule and another time by the second.
> 
> Doesn't authpriv.none mean send no authpriv messages?  Since it is is
> after the *.info it should take precedence.  At least thats how I
> understand the syslog rules to work.

I have to admit that this is probably the last bit of sysklogd code I
did never even look at ;) But you are right, this sounds like a bug.
I'll review the code once I am through with TLS.

> In any case, I understand what I did wrong.  I had *.info in one rule
> and auth.* in another creating an overlap.
> 
> > Please note that rule execution is serially. There is no
> interdependency
> > between rules. If a rule matches, the action is carried out. This is
> > context-free. Rsyslog doesn't care if another rule has the same
> action.
> > In this sample, it may be useful you did not intend what you
> configured,
> > but in most cases it would be hard to tell what your real intension
> > would be. So rather than trying the figure out the users intension,
> > rsyslog simply carries out what is configured ;)
> >
> > The bottom line to keep in mind is that each rule is a separate unit
> of
> > execution.
> 
> I cannot see any downside to putting them all on the same connection
> so I'll leave it that way FTTB.

One connection is fine. The fewer rules you need, the better the
performance is :)

Rainer
> 
> Thank your for you help
> 
> --
> Stephen Carville
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog

More information about the rsyslog mailing list