> Is there any kind of documentation post where working and use of
> preprocessor(before main queue) is described ? I could not find any.
> What is its uses ?
I'm not sure exactly what you are referring to.
Input modules (im) get logs from someplace (varies by the module) and may use
parser modules (pm) to extract meaningful logs from that input. The Input
Modules then put the message on the main queue where a worker thread picks up
the message and runs the ruleset against it. This is a series of filters and
actions. The filters decide if the actions are taken for this particular
message. An Action can be message modification modules (mm) that change the
message object (usually to create additional variables), or it can be variable
set commands, or it can be internal functions like stats gathering, or it can be
an invocation of functions from an output module (om). Actions frequently take
templates to form their output. These templates can be things that are
interpreted at runtime, or they can be the result of string modules (sm) that
use C code to create the string instead of interpreting the template definition.
The parser modules, which detect whether to keep a message OR discard it, where are they implemented ?
in these preprocessors(before the main queue) OR in the parsing and filtering modules(after the main queue) ?
On Wed, 21 Jun 2017, Luv via rsyslog wrote:
> Date: Wed, 21 Jun 2017 02:56:02 -0700 (MST)
> From: Luv via rsyslog <[hidden email]>> The parser modules, which detect whether to keep a message OR discard it,
> where are they implemented ?
> in these preprocessors(before the main queue) OR in the parsing and
> filtering modules(after the main queue) ?
parser modules do not decide to keep or discard a message. They are run against
the incoming message to populate the standard properties (hostname, timestamp,
facility/severity) and they either return a success (this parser was able to
decipher the message) or failure (this parser was not able to decipher the
message, run the next parser in the stack)
the rfc3164 parser always returns success, it's the fallback and has all sorts
of heuristics to try and extract _some_ meaning out of any garbage that is sent.
The message is then put on the main queue. There is no ability to throw messages
away before they are put on the main queue 
All filtering is done by the work thread reading data from the queue and