You're close... Try this:
if ($syslogtag == "file1") then { action(type="omfwd" Target="bleh"
Port="6514" Protocol="udp") stop }
if ($syslogtag == "file2") then { action(type="omfwd" Target="bleh"
Port="5514" Protocol="udp") stop }
if ($syslogtag == "file3") then { action(type="omfwd" Target="bleh"
Port="8514" Protocol="tcp") stop }
*.*;local7.none @bleh
James i didn't know you were doing rsyslog.... we could have been hanging
out months ago...
Cheers,
JB
On Tue, Jun 12, 2018 at 4:13 PM, James Lay <[email protected]> wrote:
> On 2018-06-12 12:40, David Lang wrote:
>
>> On Tue, 12 Jun 2018, James Lay wrote:
>>
>> Here as well, all information from file1 and file2 show up in
>>> /var/log/messages. How can I tell rsyslog to not log the additional files
>>> to the actual syslog/messages file? Thank you.
>>>
>>
>> you either need to filter the messages before the line that writes to
>> the messages file (match them and issue a stop), or you need to have
>> the imfile inputs call a specific ruleset that only has what you want
>> to happen to those files instead of letting them be handled by the
>> default ruleset.
>>
>
> Thank you....I'm familiar with filtering out messages by say content, but
> I've not used them in a action rule before. What I am confused on is where
> to put the stop. So, something like?
>
>
> if ($syslogtag == "file1") then { action(type="omfwd" Target="bleh"
> Port="6514" Protocol="udp" stop) } else
> if ($syslogtag == "file2") then { action(type="omfwd"
> Target="bleh" Port="5514" Protocol="udp" stop) } else
> if ($syslogtag == "file3") then { action(type="omfwd"
> Target="bleh" Port="8514" Protocol="tcp" stop) } else {
> *.*;local7.none @bleh
> }
>
> My fear is that the message would not get logged to, in the above case,
> the remove syslog server bleh. Clearly this is me not knowing how this all
> works. Thanks again.
>
> James
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
