Re: [rsyslog] Is there a limit on the number of conditions a rule can have?

Thu, 23 Jun 2022 13:04:22 -0700

I've had very long lists of conditions as well without a problem, how long would that be if it's all on one line? 

Also, you can use the array comparison to simplify it

if $fromhost-ip == ['10.1.1.100','10.1.2.100'] then {
or you can use a table lookup (which has the advantage that you can reload the table without having to restart rsyslog when that's all that you need to update) 

a table lookup will be faster than a long series of comparisons

David Lang


On Thu, 23 Jun 2022, joojee via rsyslog wrote:


Date: Thu, 23 Jun 2022 13:50:38 -0600
From: joojee via rsyslog <rsyslog@lists.adiscon.com>
To: rsyslog@lists.adiscon.com
Cc: joojee <joo...@gmail.com>
Subject: [rsyslog] Is there a limit on the number of conditions a rule can
    have?

Hi there,

I have an rsyslog server that ingests logs from across our network.
One of the log sources is our wireless infrastructure and we have 29
different controllers.  I have a rule that looks like this but with 29
"$fromhost-ip" conditions:

if ($fromhost-ip == '10.1.1.100' or $fromhost-ip == '10.1.2.100') then {
 action(type="omfile" file="/syslog/foo.log" template="OnlyMsg")
 & stop
}

Running 'rsyslog -N1' passes and there are no errors or warnings in
the syslog but it never actually writes to the output file and it does
have permission to write to that directory.  But if I reduce the rule
to only be one IP, it works just fine.

Is there a limit on the number of conditions you can have in one rule
or is there a better way to do this?

Thanks!
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.


_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to