I have a bunch of lines like this in /etc/rsyslog.d/systemd-drivel.conf:
:msg, contains, "Activating via systemd" ~ :msg, contains, "Activation via systemd failed" ~
Every time I boot, rsyslogd complains about the deprecated syntax:
Aug 9 18:39:21 zooty rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.8.0 try http://www.rsyslog.com/e/2307 ]
Yet no google-fu seems to be powerful enough to find an example of "using the 'stop' statement"
Can anyone tell me *exactly* what to put in a file in /etc/rsyslog.d to use this mythical, yet uttery, utterly, undocumented "stop" statement?
Absolutely none of the links from the URL in the message have any descriptions of how to use the new and improved syntax.
The man page for rsyslogd still documents the deprecated stuff and doesn't say anything at all about any new syntax.
This appears to be a classic example of open source project obfuscation by "improvement" :-)
On Sun, 2015-08-09 at 19:11 -0400, Tom Horsley wrote:
I have a bunch of lines like this in /etc/rsyslog.d/systemd-drivel.conf:
:msg, contains, "Activating via systemd" ~ :msg, contains, "Activation via systemd failed" ~
Every time I boot, rsyslogd complains about the deprecated syntax:
Aug 9 18:39:21 zooty rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.8.0 try http://www.rsyslog.com/e/2307 ]
Yet no google-fu seems to be powerful enough to find an example of "using the 'stop' statement"
Can anyone tell me *exactly* what to put in a file in /etc/rsyslog.d to use this mythical, yet uttery, utterly, undocumented "stop" statement?
I can't remember how I came up with this, but I ran into that some time back when creating a config. Here is what I found to work:
16:25-doug@wombat-~>cat /etc/rsyslog.d/pace-router.conf :fromhost-ip, isequal, "192.168.10.1" /var/log/pace.log & stop
I never did get the Pace router to write to the log but I did the errors to stop by using that language instead of the ~.
On Sun, 2015-08-09 at 19:36 -0400, Tom Horsley wrote:
On Sun, 09 Aug 2015 16:28:16 -0700 Doug H. wrote:
:fromhost-ip, isequal, "192.168.10.1" /var/log/pace.log & stop
So basically I replace the ~ with & stop ?
I don't remember why I put it on the second line but I suspect I found something via google.
Is it really on the 2nd line or did the email line wrap? :-).
Yup, simpler two liner.
On Sun, 09 Aug 2015 16:44:51 -0700 Doug H. wrote:
So basically I replace the ~ with & stop ?
I don't remember why I put it on the second line but I suspect I found something via google.
Well, when I try it, rsyslogd won't start, so it hates something about my file.
I guess I'll stick with the deprecated syntax :-).
Depends on what you are trying to achieve:
:msg, contains, "some string" stop
(on one line) will discard any message containing "some string".
:msg, contains, "some other string" /var/log/messages & stop
(across two lines) will cause any message containing "some other string" to be logged in messages and *then* discard it from further processing.
IIRC if you omit the "& stop" then it is possible that the message will match further down the config and be logged in multiple places - possibly desirable for security related messages), so you could do something like this:
:msg, contains, "some other string" /var/log/messages :msg, contains, "some other string" /var/log/secure & stop
On 10 August 2015 at 02:19, Tom Horsley horsley1953@gmail.com wrote:
On Sun, 09 Aug 2015 16:44:51 -0700 Doug H. wrote:
So basically I replace the ~ with & stop ?
I don't remember why I put it on the second line but I suspect I found something via google.
Well, when I try it, rsyslogd won't start, so it hates something about my file.
I guess I'll stick with the deprecated syntax :-).
users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Sun, Aug 9, 2015 at 7:11 PM, Tom Horsley horsley1953@gmail.com wrote:
I have a bunch of lines like this in /etc/rsyslog.d/systemd-drivel.conf:
:msg, contains, "Activating via systemd" ~ :msg, contains, "Activation via systemd failed" ~
Every time I boot, rsyslogd complains about the deprecated syntax:
Aug 9 18:39:21 zooty rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.8.0 try http://www.rsyslog.com/e/2307 ]
Replace "~" by "stop".
Or use syslog-ng :) Rainer's ideas about the syntax and documentation is quite interesting :)
L I have a bunch of lines like this in /etc/rsyslog.d/systemd-drivel.conf:
:msg, contains, "Activating via systemd" ~ :msg, contains, "Activation via systemd failed" ~
Every time I boot, rsyslogd complains about the deprecated syntax:
Aug 9 18:39:21 zooty rsyslogd-2307: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.8.0 try http://www.rsyslog.com/e/2307 ]
Yet no google-fu seems to be powerful enough to find an example of "using the 'stop' statement"
Can anyone tell me *exactly* what to put in a file in /etc/rsyslog.d to use this mythical, yet uttery, utterly, undocumented "stop" statement?
Absolutely none of the links from the URL in the message have any descriptions of how to use the new and improved syntax.
The man page for rsyslogd still documents the deprecated stuff and doesn't say anything at all about any new syntax.
This appears to be a classic example of open source project obfuscation by "improvement" :-) -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
-
Andy Blanchard -
Doug H. -
Pal, Laszlo -
Tom H -
Tom Horsley