Mailing List Archive

Is there a limit on the number of conditions a rule can have?
Hi there,

I have an rsyslog server that ingests logs from across our network.
One of the log sources is our wireless infrastructure and we have 29
different controllers. I have a rule that looks like this but with 29
"$fromhost-ip" conditions:

if ($fromhost-ip == '10.1.1.100' or $fromhost-ip == '10.1.2.100') then {
action(type="omfile" file="/syslog/foo.log" template="OnlyMsg")
& stop
}

Running 'rsyslog -N1' passes and there are no errors or warnings in
the syslog but it never actually writes to the output file and it does
have permission to write to that directory. But if I reduce the rule
to only be one IP, it works just fine.

Is there a limit on the number of conditions you can have in one rule
or is there a better way to do this?

Thanks!
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Is there a limit on the number of conditions a rule can have? [ In reply to ]
I've had very long lists of conditions as well without a problem, how long would
that be if it's all on one line?

Also, you can use the array comparison to simplify it

if $fromhost-ip == ['10.1.1.100','10.1.2.100'] then {

or you can use a table lookup (which has the advantage that you can reload the
table without having to restart rsyslog when that's all that you need to update)

a table lookup will be faster than a long series of comparisons

David Lang


On Thu, 23 Jun 2022, joojee via rsyslog wrote:

> Date: Thu, 23 Jun 2022 13:50:38 -0600
> From: joojee via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: joojee <joojee@gmail.com>
> Subject: [rsyslog] Is there a limit on the number of conditions a rule can
> have?
>
> Hi there,
>
> I have an rsyslog server that ingests logs from across our network.
> One of the log sources is our wireless infrastructure and we have 29
> different controllers. I have a rule that looks like this but with 29
> "$fromhost-ip" conditions:
>
> if ($fromhost-ip == '10.1.1.100' or $fromhost-ip == '10.1.2.100') then {
> action(type="omfile" file="/syslog/foo.log" template="OnlyMsg")
> & stop
> }
>
> Running 'rsyslog -N1' passes and there are no errors or warnings in
> the syslog but it never actually writes to the output file and it does
> have permission to write to that directory. But if I reduce the rule
> to only be one IP, it works just fine.
>
> Is there a limit on the number of conditions you can have in one rule
> or is there a better way to do this?
>
> Thanks!
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Is there a limit on the number of conditions a rule can have? [ In reply to ]
Never mind, this was user error :)

On Thu, Jun 23, 2022 at 1:50 PM joojee <joojee@gmail.com> wrote:
>
> Hi there,
>
> I have an rsyslog server that ingests logs from across our network.
> One of the log sources is our wireless infrastructure and we have 29
> different controllers. I have a rule that looks like this but with 29
> "$fromhost-ip" conditions:
>
> if ($fromhost-ip == '10.1.1.100' or $fromhost-ip == '10.1.2.100') then {
> action(type="omfile" file="/syslog/foo.log" template="OnlyMsg")
> & stop
> }
>
> Running 'rsyslog -N1' passes and there are no errors or warnings in
> the syslog but it never actually writes to the output file and it does
> have permission to write to that directory. But if I reduce the rule
> to only be one IP, it works just fine.
>
> Is there a limit on the number of conditions you can have in one rule
> or is there a better way to do this?
>
> Thanks!
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Is there a limit on the number of conditions a rule can have? [ In reply to ]
+1000 for the table response from David. This is the best answer for most
use cases.

Cheers,

JB

On Thu, Jun 23, 2022 at 5:41 PM joojee via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Never mind, this was user error :)
>
> On Thu, Jun 23, 2022 at 1:50 PM joojee <joojee@gmail.com> wrote:
> >
> > Hi there,
> >
> > I have an rsyslog server that ingests logs from across our network.
> > One of the log sources is our wireless infrastructure and we have 29
> > different controllers. I have a rule that looks like this but with 29
> > "$fromhost-ip" conditions:
> >
> > if ($fromhost-ip == '10.1.1.100' or $fromhost-ip == '10.1.2.100') then {
> > action(type="omfile" file="/syslog/foo.log" template="OnlyMsg")
> > & stop
> > }
> >
> > Running 'rsyslog -N1' passes and there are no errors or warnings in
> > the syslog but it never actually writes to the output file and it does
> > have permission to write to that directory. But if I reduce the rule
> > to only be one IP, it works just fine.
> >
> > Is there a limit on the number of conditions you can have in one rule
> > or is there a better way to do this?
> >
> > Thanks!
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.