Mailing List Archive

syntax for a ruleset with multiple actions where 1 action discards some of the events.
I have a ruleset that attempts to output to omfile, omkafka and
omelasticsearch. All of the events are received on imtcp. I'm
attempting to discard some of the events for omfile. I was trying to
do something like the following:

ruleset(name="process_events" {

if $msg !contains "unwanted space delimited string" then {
action(type="omfile"
<snip>
)
}
action(type="omkafka"
<snip>
)
action(type="omelasticsearch"
<snip>
)
}

It seems !contains is being misinterrupted, and that the only events
omfile processes are events containing "unwanted space delimited
string". I assume contains can work on strings with spaces. I'm
wondering what I have wrong with the above.

This is on rsyslog-8.1910.0-0adiscon1xenial1

Mark Christian
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: syntax for a ruleset with multiple actions where 1 action discards some of the events. [ In reply to ]
You should review rsyslog error logs. I guess you have something
similar to this in them:

rsyslogd: error during parsing file rstb_314075_f7994d4f_.conf, on or
before line 17: invalid character '!' in expression - is there an
invalid escape sequence somewhere? [v8.1911.0.master try
https://www.rsyslog.com/e/2207 ]

Bottom line: !contains is not a proper script operator. The correct if
statement is

if not $msg contains "msgnum:" then {

I guess the rest is due to the config error.

HTH
Rainer

El mié., 30 oct. 2019 a las 20:06, Christian, Mark via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> I have a ruleset that attempts to output to omfile, omkafka and
> omelasticsearch. All of the events are received on imtcp. I'm
> attempting to discard some of the events for omfile. I was trying to
> do something like the following:
>
> ruleset(name="process_events" {
>
> if $msg !contains "unwanted space delimited string" then {
> action(type="omfile"
> <snip>
> )
> }
> action(type="omkafka"
> <snip>
> )
> action(type="omelasticsearch"
> <snip>
> )
> }
>
> It seems !contains is being misinterrupted, and that the only events
> omfile processes are events containing "unwanted space delimited
> string". I assume contains can work on strings with spaces. I'm
> wondering what I have wrong with the above.
>
> This is on rsyslog-8.1910.0-0adiscon1xenial1
>
> Mark Christian
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: syntax for a ruleset with multiple actions where 1 action discards some of the events. [ In reply to ]
sorry, some wrong info. What I wrote is interpreted as such

if (not $msg) contains "msgnum:" then {

and so it does not work. You need to set parenthesis to negate the
contains clause:

if not ($msg contains "msgnum:") then {

Rainer

El jue., 31 oct. 2019 a las 18:55, Rainer Gerhards
(<rgerhards@hq.adiscon.com>) escribió:
>
> You should review rsyslog error logs. I guess you have something
> similar to this in them:
>
> rsyslogd: error during parsing file rstb_314075_f7994d4f_.conf, on or
> before line 17: invalid character '!' in expression - is there an
> invalid escape sequence somewhere? [v8.1911.0.master try
> https://www.rsyslog.com/e/2207 ]
>
> Bottom line: !contains is not a proper script operator. The correct if
> statement is
>
> if not $msg contains "msgnum:" then {
>
> I guess the rest is due to the config error.
>
> HTH
> Rainer
>
> El mié., 30 oct. 2019 a las 20:06, Christian, Mark via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > I have a ruleset that attempts to output to omfile, omkafka and
> > omelasticsearch. All of the events are received on imtcp. I'm
> > attempting to discard some of the events for omfile. I was trying to
> > do something like the following:
> >
> > ruleset(name="process_events" {
> >
> > if $msg !contains "unwanted space delimited string" then {
> > action(type="omfile"
> > <snip>
> > )
> > }
> > action(type="omkafka"
> > <snip>
> > )
> > action(type="omelasticsearch"
> > <snip>
> > )
> > }
> >
> > It seems !contains is being misinterrupted, and that the only events
> > omfile processes are events containing "unwanted space delimited
> > string". I assume contains can work on strings with spaces. I'm
> > wondering what I have wrong with the above.
> >
> > This is on rsyslog-8.1910.0-0adiscon1xenial1
> >
> > Mark Christian
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.