(Apologies, somehow I sent this before it was complete.) David, So yeah you are right.. I didn’t dig into omfile and assumed from the Actions page those were available to most. So I have a .conf with 13 rulesets with matching inputs and I’ve found that you can ratelimit on the input side however this source is local (firewalld). If I am loading modules imudp, imtcp and imuxsock and since I do have a .conf to send all of the logs from that source to a specific file:
:msg,contains," Syslog-In " /var/log/firewalld & stop Am I correct in thinking that an input type for this would be imuxsock? And if so, could I setup a ruleset with matching inputs to then attempt to rate limit it? Ben From: David Lang <da...@lang.hm> Date: Monday, September 26, 2022 at 2:52 PM To: Ben Hart via rsyslog <rsyslog@lists.adiscon.com> Cc: Ben Hart <ben.h...@jamf.com> Subject: Re: [rsyslog] Action params with exec.OnlyEveryNthTime I think it's a valid parameter to ommail, but I would be surprised to see it under omfile (and if it is, check what version you are running vs the version you are seeing it documented) rsyslog is not an event correlation engine, it has some minimal things, but they really aren't very good. What I do in a situation like yours is to filter the messages and send them to an external event correlation engine (I tend to use Simple Event Correlator) and then have it generate alert or summary messages, feeding them back in to rsyslog (watch out that you don't generate a loop in this process) David Lang _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
