[rsyslog-notify] Forum Thread: duplicate omfile logging - (Mode 'post')

[noreply at adiscon.com]

User: bramuno 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=27225#p27225

Message: 
----------
Hello, I am hoping someone has seen this issue and can help me.  I have
noticed that my rsyslog installation is working, but it's sorting
everything twice.  I have a lot of rules to sort specific hostnames or $msg
strings to particular folders and this is working fine.  However, the
default rule at the end is in effect for anything the previous rules did
not catch.  

The default rule should rarely be used but, for some reason, every single
log entry received is being sorted by the default rule
[b:3w0lkjvn]after[/b:3w0lkjvn] it's already been sorted by the matching
rule located above the default rule.  

[code:3w0lkjvn]
# first rule
*.* if $fromhost-ip != "x.x.x.26" and $msg contains
"NetScreen"
    then
{
        if $msg contains "traffic" or $msg contains
"system-notification-00257"
                then action(type="omfile" DynaFile="netscreenTraffic")
        else
                then
                action(type="omfile" DynaFile="netscreenEvents")
}
#####  lots of rules between 
else
        then action(type="omfile" DynaFile="default")

[/code:3w0lkjvn]

with the above rules, netscreen syslogs should get caught by the first rule
and sent to the netscreen folder (omfile), which it does.   However, the
default action is also triggered and a log entry is created in the default
folder omfile.   sadly it's filling up my disk space so I am hoping someone
may have a suggestion.  any help is appreciated, thanks :)