Do I just add the word "stop" to my rules with the enclosed brackets you
mentioned?
Example:
if \ {
$source != 'hostname' \
and \
$syslogseverity <= '6' \
and ( \
$syslogfacility-text != 'mail' \
and \
$syslogfacility-text != 'authpriv' \
and \
$syslogfacility-text != 'cron' \
and \
$programname != 'mysqld' \
and \
$programname != 'httpd' \
and \
$programname != 'rkhunter' \
and \
$programname != 'bashhist' \
) \
then ?DYNmessages
stop
}
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Gary Foster
Sent: Tuesday, April 09, 2013 2:15 PM
To: rsyslog-users
Subject: Re: [rsyslog] Messages log problems
You need to tell rsyslog to stop processing and discard the message when you no
longer want it. Otherwise, it will match multiple rules or fall through to
your default.
~~~~~~
if $msg contains 'foo' then {
# do something
stop
}
*.* /var/log/messages
~~~~~~
The example above will drop the message after it handles it if it matches the
first rule. If not, it will fall through and get processed by the wildcard.
You are missing "stop" statements (and you'll need to add enclosing braces to
group your actions).
-- Gary F.
On Apr 9, 2013, at 1:47 PM, Josh Bitto <[email protected]> wrote:
> Ok so I'm having an issue where I'm receiving logs from different hosts and
> they are being logged to my /var/log/messages. PLUS in the template that I
> have it set for. I don't want this "double" logging. Is there a way to
> correct this? My programming fu is weak.
>
>
> I have it setup in rsyslog.conf configured to a template as the attached txt
> file.
>
> Joshua Bitto
> Information Technologist
> KCC
>
>
>
> <configfile.txt>_______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
> beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is
a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our
control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
