[rsyslog-notify] Forum Thread: Re: Rsyslog forwarding or listening configuration - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Nov 18 23:32:18 CET 2015
User: dlang
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26169#p26169
Message:
----------
I don't quite understand your question, but I think I know the issue you
are struggling with
by default, rsyslog will write logs out to every action where the filter
matches the logs, so if something is local1.info
local1.* /var/log/local1
*.info /var/log/info
will write the log out both places
You can avoid this by telling rsyslog to throw away the message. This is
commonly done after you write it one place and don't want to write it
anywhere else
local1.* /var/log/local1
& ~
*.info /var/log/info
will not have any local1.info logs in /var/log/info
you can do things like
if $msg contains 'error' then /var/log/error.log
with current versions you can do
if $msg contains 'error' then {
/var/log/error.log
stop
}
with v5, the if..then syntax is significantly slower than the :msg,
contains syntax, but if you aren't running up against performance limits,
you should probably just use the if..then syntax (and if you are running up
against performance limits, you really should upgrade to the current
version on your central system, there are so many other performance
improvements)
does this help?
More information about the rsyslog-notify
mailing list