Re: [rsyslog] /etc/rsyslog.d/*.conf

Tue, 16 Apr 2013 21:32:33 -0700 

On Tue, 16 Apr 2013, Nathan Stratton Treadway wrote:


On Tue, Apr 16, 2013 at 19:07:19 -0700, Paul Fontenot wrote:

How does rsyslog determine order from the configuration files in
/etc/rsyslog.d/*.conf?

10-iptables.conf
20-messages.conf

[...]

:msg, startswith, "IPTABLES (eth0) Drop: " -/var/log/iptables.log
& ~
:msg, startswith, "IPTABLES (wlan0) Drop: " -/var/log/iptables.log
& ~

and I get the entries in both /var/log/iptables and /var/log/messages. So
far the only way I've found to ensure those entries are only in
/var/log/iptables is to put them in /etc/rsyslog.conf. Is this the only way
or am I overlooking something?


You didn't mention which version of rsylog you are using, but most
versions in the 7.2.x and 7.3.x lines have a bug which causes the files
pulled in by a wildcard "include" to be processed in reverse order. The
bug was fixed in 7.2.6 and 7.3.8, so if you can upgrade to a version
later than those that should solve your problem.

If you can't upgrade, you can probably get it to work by renumbering the
rsyslog.d/* files so they are in reverse order (i.e. for each number N,
change the number to 100-N, or something like that).  (However, keep in
mind that when you later upgrade to a version that includes the fix
you'll need to switch the filenames back to the expected order.)

Hope that helps.
personally, my reccomendation is to not have include files that have side effects. It just makes the overall logic too hard to figure out. If you are going to have to look at all the config files to figure out what is happening with a particular log message, just put all the rules in one file so you can see the logic at one time.
For some software you can't do that because having things in the file that aren't what you want for a particular machine really hurts you, but in almost every case with syslog, you can put the same rules on every machine and pay a very minimal cost for checking rules that you are never going to match. 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to