Fair enough - thanks for the follow up! From: rgerha...@hq.adiscon.com At: 11/18/22 11:37:59 UTC-5:00To: Gordon Marler (BLOOMBERG/ 120 PARK ) , rsyslog@lists.adiscon.com Subject: Re: [rsyslog] Reducing selector effect in RainerScript
sorry, I didn't notice the follow-up question, just saw it when I came back today for the actual doc bug fix. You can use the following old-style selector to craft your desired behaviour: *.*;local6.!=info;local6.!=notice;local6.!=warn BTW, doc PRs are here: https://github.com/rsyslog/rsyslog/pull/5028 https://github.com/rsyslog/rsyslog-doc/pull/994 Rainer El jue, 3 nov 2022 a las 16:43, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog (<rsyslog@lists.adiscon.com>) escribió: > > Perfectly fine with a doc fix; we're converting from syslog selectors that predate the 2000s (probably from around 1984 or so). > > So I'm still left with the question of how best to convert a selector like the following examples to something more modern, maintaining the old/original intent of: > > "capture everything at first, then whittle away priority ranges of individual facilities" > > Example #1: > > *.debug;local6.err <file> > > Which translates to: > > > *Start by logging all facilities, all priorities to <file> > *Eliminate local6.{debug,info,notice,warn} > > Example #2: > > *.debug;mail.none;local2.none;lpr,local4,local6.err <file> > > Which translates to: > > > *Start by logging all facilities, all priorities to <file> > *Eliminate mail.* > *Eliminate local2.* > *Eliminate {lpr,local4,local6}.{debug,info,notice,warn} > > > I'm going to look at using the if-then construct and see if it's an easy conversion; it'd just be nice to know if it's possible to still craft the old style selector to achieve the same end result. > > From: rsyslog@lists.adiscon.com At: 11/03/22 08:47:57 UTC-4:00To: rsyslog@lists.adiscon.com > Cc: k...@epsilon.eu.org > Subject: Re: [rsyslog] Reducing selector effect in RainerScript > > +1 on the doc fix. It's not that it's a bug per se. And I suppose there > might be installations "in the wild" relying on the filter specification > mechanics so I don't think changing it is called for. It's just that the > docs should probably more closely represent it. > > MK > > On 3.11.2022 13:05, Rainer Gerhards wrote: > > It's complicated. This may be a bug. I tend to say it is, although some > > may argue the man page text does not cover this specific case. > > > > Anyhow, this was not introduced into rsyslog, but into sysklogd. My > > earliest commit is from 2004, with a little bit of non-git history > > before. I can't find the original sysklogd source any longer, but I am > > totally sure we did not touch this part of the code in the early > > 2000's (we were focussed on database writing). > > > > Have a look at the original code, and head to line 2512. It's (minus > > cosmetic utility function changes) the same code as it is today. > > > > > https://github.com/rsyslog/rsyslog/commit/05f2f1839c2712ca77e86aa679dc909d051fc2 > 3b?diff=unified#diff-9d04cb1c9964eae767720b1cfc19111074b0fe23e22416d8594872c4973 > 7a304R2512 > > > > Even more so, the man page text also stems directly back to sysklogd, > > without any alteration in wording. > > > > How to go forward? Of course I can fix this "bug", but that would > > probably cause a loooot of grief with long-existing configs. So I > > would tend to say it is a doc bug so let's fix the doc and be done. > > > > Any comments? David Lang maybe? > > > > Rainer > > > > El jue, 3 nov 2022 a las 10:26, Rainer Gerhards > > > > (<rgerha...@hq.adiscon.com>) escribió: > >> In any case, if it is a bug, fixing it is hard for compatibility > >> reasons. The code has not been touched for a very long time. > >> > >> https://github.com/rsyslog/rsyslog/blame/master/runtime/conf.c#L356 > >> > >> Rainer > >> > >> El jue, 3 nov 2022 a las 10:08, Rainer Gerhards > >> (<rgerha...@hq.adiscon.com>) escribió: > >>> maybe I have not fully understood the original question. Will try > >>> later today ;-) > >>> > >>> However, that part of the code that parses the selectors is actually > >>> still the same we inherited from syslogd ~20 years ago. Of course, I > >>> can't outrule we made some changes, but I honestly don't think so. > >>> > >>> Rainer > >>> > >>> El jue, 3 nov 2022 a las 9:23, Mariusz Kruk via rsyslog > >>> (<rsyslog@lists.adiscon.com>) escribió: > >>>> I'm not saying that behaviour is wrong but I'd interpret the wording in > >>>> the docs as Gordon intended. > >>>> > >>>> https://www.rsyslog.com/doc/v8-stable/configuration/filters.html > >>>> > >>>> "Multiple selectors may be specified for a single action using the > >>>> semicolon (“;’’) separator. Remember that each selector in the selector > >>>> field is capable to overwrite the preceding ones. Using this behavior > >>>> you can exclude some priorities from the pattern." (as a side note - > >>>> "capable" connects with "of *ing", so should be rather used as "capable > >>>> of overwriting" but that's not the point ;-)). I'd intepret that passage > >>>> as "if you add multiple selectors with semilcolons, the latter ones > >>>> overwrite the former" so I'd expect it to work as Gordon did. It might > >>>> need rewording if it works differently. > >>>> > >>>> MK > >>>> > >>>> On 2.11.2022 20:18, Rainer Gerhards via rsyslog wrote: > >>>>> Info is higher severity than debug, so it validly matches. > >>>>> > >>>>> Sent from phone, thus brief. > >>>>> > >>>>> David Lang via rsyslog <rsyslog@lists.adiscon.com> schrieb am Mi., 2. Nov. > >>>>> 2022, 20:10: > >>>>> > >>>>>> not that I expect this to fix it (this isn't something I've seen as a > >>>>>> known > >>>>>> bug), but could you please confirm that this still happens on the current > >>>>>> version of rsyslog? > >>>>>> > >>>>>> David Lang > >>>>>> > >>>>>> On Wed, 2 Nov 2022, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog > wrote: > >>>>>> > >>>>>>> Date: Wed, 2 Nov 2022 19:01:22 -0000 > >>>>>>> From: "Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog" > >>>>>>> <rsyslog@lists.adiscon.com> > >>>>>>> Reply-To: Gordon Marler <gmar...@bloomberg.net>, > >>>>>>> rsyslog-users <rsyslog@lists.adiscon.com> > >>>>>>> To: rsyslog@lists.adiscon.com > >>>>>>> Cc: "Gordon Marler (BLOOMBERG/ 120 PARK)" <gmar...@bloomberg.net> > >>>>>>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript > >>>>>>> > >>>>>>> I've stripped down my config to just this rule, and tried with and > >>>>>> without the stop directive - after restarting rsyslogd, of course - no > >>>>>> change. > >>>>>>> Also happens on the rsyslogd versions delivered with Solaris 11.4, RHEL > >>>>>> 7.x and RHEL 8.x, which all hover around the 8.210x version > >>>>>>> From: rsyslog@lists.adiscon.com At: 11/02/22 03:45:01 UTC-4:00To: > >>>>>> rsyslog@lists.adiscon.com > >>>>>>> Cc: k...@epsilon.eu.org > >>>>>>> Subject: Re: [rsyslog] Reducing selector effect in RainerScript > >>>>>>> > >>>>>>> Generally, your config should work the way you indended. It's hard to > >>>>>>> say however if other entries in your config don't cause any side > effects. > >>>>>>> > >>>>>>> You could add a "stop" directive to make sure that events matching your > >>>>>>> selector won't be processed further. Like: > >>>>>>> > >>>>>>> *.debug;local6.err { > >>>>>>> action( type="omfile" file="/what/ever/file") > >>>>>>> stop > >>>>>>> } > >>>>>>> > >>>>>>> On 2.11.2022 01:26, Gordon Marler (BLOOMBERG/ 120 PARK) via rsyslog > >>>>>> wrote: > >>>>>>>> I'm porting some configurations from syslog to rsyslog, and seeing some > >>>>>>> unexpected selector behavior in rsyslog 8.2104 > >>>>>>>> After reading the selector examples from the configuration portion of > >>>>>> the > >>>>>>> rsyslog manual, I'm either misunderstanding how this is supposed to > >>>>>> work, or > >>>>>>> there's a long standing issue here. > >>>>>>>> So, the original selector looks like this: > >>>>>>>> > >>>>>>>> *.debug;local6.err > >>>>>>>> > >>>>>>>> The intent is to log all facilities at debug or higher, except for > >>>>>> local6, > >>>>>>> which should only log at err or higher. So I end up with a RainerScript > >>>>>> block > >>>>>>> like so: > >>>>>>>> *.debug;local6.err { > >>>>>>>> action( type="omfile" file="/what/ever/file") > >>>>>>>> } > >>>>>>>> > >>>>>>>> But, I start to see messages at local6.info show up in the file, > >>>>>> surprisingly. > >>>>>>>> To get the desired end effect, I end up having to craft the selector > >>>>>> like so > >>>>>>> (which only works because only local6.info is chatty, nothing higher > >>>>>> than > >>>>>>> that), which surprises me: > >>>>>>>> *.debug;local6.err;local6.!=info > >>>>>>>> > >>>>>>>> So, am I simply doing this wrong/misunderstanding how selectors work, > >>>>>> or is > >>>>>>> there something odd going on? > >>>>>>>> _______________________________________________ > >>>>>>>> rsyslog mailing list > >>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>>>> http://www.rsyslog.com/professional-services/ > >>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >>>>>> myriad of > >>>>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>>>> DON'T LIKE > >>>>>>> THAT. > >>>>>>> _______________________________________________ > >>>>>>> rsyslog mailing list > >>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>>> http://www.rsyslog.com/professional-services/ > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >>>>>> of > >>>>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>>>> DON'T LIKE > >>>>>>> THAT. > >>>>>>> > >>>>>>> > >>>>>>> _______________________________________________ > >>>>>>> rsyslog mailing list > >>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>>> http://www.rsyslog.com/professional-services/ > >>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>>>> DON'T LIKE THAT. > >>>>>> _______________________________________________ > >>>>>> rsyslog mailing list > >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> http://www.rsyslog.com/professional-services/ > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > >>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >>>>>> DON'T LIKE THAT. > >>>>>> > >>>>> _______________________________________________ > >>>>> rsyslog mailing list > >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>> http://www.rsyslog.com/professional-services/ > >>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > >>>> _______________________________________________ > >>>> rsyslog mailing list > >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>> http://www.rsyslog.com/professional-services/ > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE > THAT. > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
