[rsyslog-notify] Forum Thread: Simple if/then/else not working - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Thu Jan 21 21:42:51 CET 2016
User: JoiOwen
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26290#p26290
Message:
----------
I have a syslog server receiving debug junk from a ruckus device, and a bug
in their appliance prevents us from turning the debug junk off after it's
been turned on, until you reboot the device (which its manager refuses to
do.)
So, I'm trying to insert a filter in my rainerscript to block the junk from
just this one device from reaching my syslog server and the graylog server
it forwards everything into.
So, I basically have:
ruleset ( ...) {
if $fromhost-ip=172.16.10.223 and $programname startswith("sshd") and
$syslogpriority == 7 then
stop
} else {
action( ...dynfile write to disk...)
action( ... forward on to a graylog server...)
}
}
Before I created this, I was getting the sshd debug junk on both the disk,
and in the graylog server. Now that I have this if/else construct in
place, the junk to disk has stopped, but the action that sends it to
graylog is still working!!
I've spent all day trying to figure out what I've done wrong here. This is
the only action in my whole configuration set that sends anything to
graylog, and this is all encapsulated within a ruleset.
I believe I have the basic syntax of the if condtions correct because the
sshd stuff immediately stopped flowing into the disk file as soon as I
restarted rsyslogd. I've used 'rsyslogd -f /etc/rsyslog.conf -N 1' and
there are no errors in the output from that test.
The host is Ubuntu 14 with the rsyslog 7.4.4-1ubuntu2.6 package on it. Is
there some bug with the else block that only sees the first action as
inside the block and treats the second action as outside it?
More information about the rsyslog-notify
mailing list