Thanks for that information, I have 7.2.5 so an upgrade is in order
On Tue, Apr 16, 2013 at 9:32 PM, David Lang <[email protected]> wrote: > On Tue, 16 Apr 2013, Nathan Stratton Treadway wrote: > > On Tue, Apr 16, 2013 at 19:07:19 -0700, Paul Fontenot wrote: >> >>> How does rsyslog determine order from the configuration files in >>> /etc/rsyslog.d/*.conf? >>> >>> 10-iptables.conf >>> 20-messages.conf >>> >> [...] >> >>> :msg, startswith, "IPTABLES (eth0) Drop: " -/var/log/iptables.log >>> & ~ >>> :msg, startswith, "IPTABLES (wlan0) Drop: " -/var/log/iptables.log >>> & ~ >>> >>> and I get the entries in both /var/log/iptables and /var/log/messages. So >>> far the only way I've found to ensure those entries are only in >>> /var/log/iptables is to put them in /etc/rsyslog.conf. Is this the only >>> way >>> or am I overlooking something? >>> >> >> You didn't mention which version of rsylog you are using, but most >> versions in the 7.2.x and 7.3.x lines have a bug which causes the files >> pulled in by a wildcard "include" to be processed in reverse order. The >> bug was fixed in 7.2.6 and 7.3.8, so if you can upgrade to a version >> later than those that should solve your problem. >> >> If you can't upgrade, you can probably get it to work by renumbering the >> rsyslog.d/* files so they are in reverse order (i.e. for each number N, >> change the number to 100-N, or something like that). (However, keep in >> mind that when you later upgrade to a version that includes the fix >> you'll need to switch the filenames back to the expected order.) >> >> Hope that helps. >> > > personally, my reccomendation is to not have include files that have side > effects. It just makes the overall logic too hard to figure out. If you are > going to have to look at all the config files to figure out what is > happening with a particular log message, just put all the rules in one file > so you can see the logic at one time. > > For some software you can't do that because having things in the file that > aren't what you want for a particular machine really hurts you, but in > almost every case with syslog, you can put the same rules on every machine > and pay a very minimal cost for checking rules that you are never going to > match. > > David Lang > > ______________________________**_________________ > rsyslog mailing list > http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog> > http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/> > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
