If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

deoren
Here is some pseducode based off of another recent thread:

ruleset(name="remote-rules"){
         action(
                 ...
         )
         action(
                 ...
         )
         stop
}

input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules")
input(type="imptcp" port="1514" address="127.0.0.1" ruleset="remote-rules")

I see here that the stop directive is used as the last item within that
ruleset. Is that necessary? I had the idea (evidently mistaken) that
when you assign a ruleset to an input that only that ruleset would be
applied to messages arriving on that input.

Is the stop directive necessary here?

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

rsyslog-users mailing list
It's implicit, AFAIK


On 11/07/17 07:48, deoren wrote:

> Here is some pseducode based off of another recent thread:
>
> ruleset(name="remote-rules"){
>         action(
>                 ...
>         )
>         action(
>                 ...
>         )
>         stop
> }
>
> input(type="imudp" port="1514" address="127.0.0.1"
> ruleset="remote-rules")
> input(type="imptcp" port="1514" address="127.0.0.1"
> ruleset="remote-rules")
>
> I see here that the stop directive is used as the last item within
> that ruleset. Is that necessary? I had the idea (evidently mistaken)
> that when you assign a ruleset to an input that only that ruleset
> would be applied to messages arriving on that input.
>
> Is the stop directive necessary here?
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

Rainer Gerhards
yup ... for this case. Processing stops when there is .. no more
processing to do. Usually, this means end of ruleset. But if the
ruleset is called from another ruleset, processing will go back to the
caller if there is no stop statement. In the given config, this is not
the case.

HTH
Rainer

2017-07-11 8:33 GMT+02:00 mostolog--- via rsyslog <[hidden email]>:

> It's implicit, AFAIK
>
>
>
> On 11/07/17 07:48, deoren wrote:
>>
>> Here is some pseducode based off of another recent thread:
>>
>> ruleset(name="remote-rules"){
>>         action(
>>                 ...
>>         )
>>         action(
>>                 ...
>>         )
>>         stop
>> }
>>
>> input(type="imudp" port="1514" address="127.0.0.1" ruleset="remote-rules")
>> input(type="imptcp" port="1514" address="127.0.0.1"
>> ruleset="remote-rules")
>>
>> I see here that the stop directive is used as the last item within that
>> ruleset. Is that necessary? I had the idea (evidently mistaken) that when
>> you assign a ruleset to an input that only that ruleset would be applied to
>> messages arriving on that input.
>>
>> Is the stop directive necessary here?
>>
>> _______________________________________________
>> rsyslog mailing list
>> http://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>> LIKE THAT.
>
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

deoren
On 7/11/17 2:47 AM, Rainer Gerhards wrote:
> yup ... for this case. Processing stops when there is .. no more
> processing to do. Usually, this means end of ruleset. But if the
> ruleset is called from another ruleset, processing will go back to the
> caller if there is no stop statement. In the given config, this is not
> the case.
>
> HTH
> Rainer

I have a ruleset attached only to remote inputs and was under the
impression that would be the only way those rules would execute
(assuming I don't call the ruleset directly). Thank you for confirming
that is the case. :)

Is there any penalty for explicitly using the stop directive? Just curious.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: If a ruleset is bound to a specific input, will rsyslog check a message arriving on that input against a different ruleset?

deoren
In reply to this post by rsyslog-users mailing list
On 7/11/17 1:33 AM, mostolog--- via rsyslog wrote:

> It's implicit, AFAIK
>
>
> On 11/07/17 07:48, deoren wrote:
>> Here is some pseducode based off of another recent thread:
>>
>> ruleset(name="remote-rules"){
>>         action(
>>                 ...
>>         )
>>         action(
>>                 ...
>>         )
>>         stop
>> }
>>
>> input(type="imudp" port="1514" address="127.0.0.1"
>> ruleset="remote-rules")
>> input(type="imptcp" port="1514" address="127.0.0.1"
>> ruleset="remote-rules")
>>
>> I see here that the stop directive is used as the last item within
>> that ruleset. Is that necessary? I had the idea (evidently mistaken)
>> that when you assign a ruleset to an input that only that ruleset
>> would be applied to messages arriving on that input.
>>
>> Is the stop directive necessary here?
Thanks for confirming. I wasn't sure if there was some sort of
fall-through behavior I wasn't aware of.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Loading...