[rsyslog-notify] Forum Thread: Re: Filter: Only log local for specific action - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Thu Nov 12 18:21:10 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26138#p26138
Message:
----------
when you are trying to do the sort of configuration you are talking about,
it's MUCH easier to understand what's going on if you have everything in
one rsyslog config file and don't use the include directive
include basically does a paste of the config files into the main file at
that point., but it's much harder to understand what's happening when
things are split like this.
there are two approaches to do this.
first you can use rulesets
you define an input to use a specific ruleset. logs that arrive via that
input are only passed through the rules in that ruleset, and the rules in
that ruleset will not be applied to any other logs.
so if you apply a ruleset to your remote inputs, then rules that are not
part of that ruleset will handle your local logs
when using rulesets, you _really_ want to use the new syntax
ruleset(name='foo'){
rules
}
as you can imagine, trying to understand include files in the middle of a
block will be messy
the second approach is that you can do logic in your filters so that you
throw the log away after you are finished with it
so if you have a rule
if <from local system and other conditions> then {
do something
stop
}
some other rules
More information about the rsyslog-notify
mailing list