On 19/01/2021 17:28, Rainer Gerhards via rsyslog wrote:
El mar, 19 ene 2021 a las 17:24, John Chivian via rsyslog
(<[email protected]>) escribió:
ruleset (name=“from_input”) {
call write_to_file
call to_central_siem
call to_separate_file
}
If I understand the internals, each call is essentially a “duplicated fork”
that will operate independently of each other. It’s in the documentation
somewhere, but using the call mechanism is correct.
YES, BUT ... you need to assign a queue to the called ruleset. Else
it's synchronous.
Rainer
Let me dig a bit deeper ;-)
Let's assume that all those called rulesets manipulate a variable (let's
call it $.var).
So far I relied on one ruleset modifying said $.var and the resulting
value being retained and accessible in subsequent ruleset. So, for
example, first subruleset could assign a value to a variable and in the
second subruleset you would choose action or assign another variable
based on the value of $.var. Like this:
ruleset (name="get_source") {
if ( $hostname == "localhost") then
{
set $.src = $fromhost-ip;
} else
{
set $.src = $hostname;
}
}
ruleset (name="output_action) {
if (( $.src starts with "172.16.") or ($.src ends with ".local")) then
{
action(type="omfile" file="/var/log/local");
} else
{
action(type="omfile" file="/var/log/remote");
}
}
ruleset(name="main) {
call get_source
call output_action
}
Let's not dig too deeply into the general idea (and possibly syntactic
correctness; I might have missed some semicolon or something like that
;-)) but as you can see, we assign a variable $.src in get_source
ruleset and use it again in output_action ruleset.
I've used this form of passing variables from one ruleset to another
many times and it does work.
Question is - will the behaviour change if those get_source and
output_action rulesets get their own queues?
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
