[rsyslog-notify] Forum Thread: Re: Simple if/then/else not working - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Fri Jan 22 12:17:33 CET 2016
User: JoiOwen
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26296#p26296
Message:
----------
Oh, I omitted the quotes around the IP address here in my post but they are
present in the config file.
There is a DA queue for the graylog forward action, but it's not seeing
much use. There is a queue on the ruleset as well, but it doesn't show
anything being dropped when I check the stats.
The debug messages appearing in the graylog content bear timestamps within
the past two minutes, so I don't think queuing is causing a delay. When I
go back and check graylog hours later, it's still showing me the sshd debug
messages from that host with very new timestamps. This suggests to me that
rsyslog is continuing to treat the write-to-disk action as inside the
block, but the forward-to-graylog action as outside it. The two lines are
adjacent to each other inside the else braces.
How would I turn on debugging in rsyslog for this particular issue? When I
try using -d, I just get mostly unintelligible (to me) syntax tree stuff.
I do have some comments around an if prifilt() structure for an action that
is not currently in use. Could the parser somehow be seeing a { or } in
the comments and confusing itself? These comments are after the two
actions in the else block but should be included in it. Ie like:
[code:10kftp0p]
ruleset( ... ) {
if ... then {
stop
} else {
action (...)
action (...)
#
# if prifilt(..) then {
# action(...)
# }
}
}
[/code:10kftp0p]
I've matched up the braces with vim and they do pair up properly.
More information about the rsyslog-notify
mailing list