diff options
| -rw-r--r-- | doc/rsyslog_conf_actions.html | 118 |
1 files changed, 117 insertions, 1 deletions
diff --git a/doc/rsyslog_conf_actions.html b/doc/rsyslog_conf_actions.html index 0c7705f8..a468a403 100644 --- a/doc/rsyslog_conf_actions.html +++ b/doc/rsyslog_conf_actions.html @@ -3,6 +3,123 @@ <body> <p>This is a part of the rsyslog.conf documentation.</p> <a href="rsyslog_conf.html">back</a> +<h2>Actions</h2> +The action describes what to do with a log message. In general, +message content is written to a kind of "logfile". +But also other actions might be done, like writing to a database +table or forwarding to another host.<br> +<br> +There is a certain base format to configure a action that needs to follow +either a selector or a filter. If no selector or filter is configured +before the action line begins, all messages will be used automatically.<br> +<br> +A action line could look like this</p> +<p><code><b>*.auth action(type="omfwd" file="/var/log/auth")</b></code></p> +<p>Or a little simpler</p> +<p><code><b>action(type="omfwd" file="/var/log/auth")</b></code></p> +<p> without a selector, which will execute the action for all messages. +The command to initiate a action is always action(). +In the brackets you determine the parameters for the action, like type, +destination or special processing parameters. There are two types of action +parameters. The first are the general action parameters described below. +The second type are the module instance parameters. They are described in +the documentation of the respective module.</p> +<h3>General Action Parameters</h3> +<ul> + <li><strong>name</strong> word + <br>used primarily for documentation, e.g. when generating a configuration graph. </li> + <li><strong>type</strong> string + <br>Mandatory parameter for every action. The name of the module that should be used. </li> + <li><strong>action.writeallmarkmessages</strong> on/off + <br>[available since 5.1.5] - Normally, mark messages are written to actions only if the action was not recently executed (by default, recently means within the past 20 minutes). If this setting is switched to "on", mark messages are always sent to actions, no matter how recently they have been executed. In this mode, mark messages can be used as a kind of heartbeat. Note that this option auto-resets to "off", so if you intend to use it with multiple actions, it must be specified in front off all selector lines that should provide this functionality. </li> + <li><strong>action.execonlyeverynthtime</strong> integer + <br>If configured, the next action will only be executed every n-th time. For example, if configured to 3, the first two messages that go into the action will be dropped, the 3rd will actually cause the action to execute, the 4th and 5th will be dropped, the 6th executed under the action, ... and so on. Note: this setting is automatically re-set when the actual action is defined.</li> + <li><strong>action.execonlyeverynthtimeout</strong> integer + <br>Has a meaning only if Action.ExecOnlyEveryNthTime is also configured for the same action. If so, the timeout setting specifies after which period the counting of "previous actions" expires and a new action count is begun. Specify 0 (the default) to disable timeouts. +Why is this option needed? Consider this case: a message comes in at, eg., 10am. That's count 1. Then, nothing happens for the next 10 hours. At 8pm, the next one occurs. That's count 2. Another 5 hours later, the next message occurs, bringing the total count to 3. Thus, this message now triggers the rule. +The question is if this is desired behavior? Or should the rule only be triggered if the messages occur within an e.g. 20 minute window? If the later is the case, you need a +<br>Action.ExecOnlyEveryNthTimeTimeout="1200" +<br>This directive will timeout previous messages seen if they are older than 20 minutes. In the example above, the count would now be always 1 and consequently no rule would ever be triggered. </li> + <li><strong>action.execonlyonceeveryinterval</strong> integer + <br>Execute action only if the last execute is at last <seconds> seconds in the past (more info in ommail, but may be used with any action)</li> + <li><strong>action.execonlywhenpreviousissuspended</strong> on/off + <br>This directive allows to specify if actions should always be executed ("off," the default) or only if the previous action is suspended ("on"). This directive works hand-in-hand with the multiple actions per selector feature. It can be used, for example, to create rules that automatically switch destination servers or databases to a (set of) backup(s), if the primary server fails. Note that this feature depends on proper implementation of the suspend feature in the output module. All built-in output modules properly support it (most importantly the database write and the syslog message forwarder).</li> + <li><strong>action.repeatedmsgcontainsoriginalmsg</strong> on/off + <br>"last message repeated n times" messages, if generated, have a different format that contains the message that is being repeated. Note that only the first "n" characters are included, with n to be at least 80 characters, most probably more (this may change from version to version, thus no specific limit is given). The bottom line is that n is large enough to get a good idea which message was repeated but it is not necessarily large enough for the whole message. (Introduced with 4.1.5). Once set, it affects all following actions.</li> + <li><strong>action.resumeretrycount</strong> integer + <br>[default 0, -1 means eternal]</li> + <li><strong>action.resumeinterval</strong> integer + <br>Sets the ActionResumeInterval for the action. The interval provided is always in seconds. Thus, multiply by 60 if you need minutes and 3,600 if you need hours (not recommended). +When an action is suspended (e.g. destination can not be connected), the action is resumed for the configured interval. Thereafter, it is retried. If multiple retires fail, the interval is automatically extended. This is to prevent excessive ressource use for retires. After each 10 retries, the interval is extended by itself. To be precise, the actual interval is (numRetries / 10 + 1) * Action.ResumeInterval. so after the 10th try, it by default is 60 and after the 100th try it is 330.</li> +</ul> +<h3>Action Queues</h3> +<p>For some types of action it would make sense to have a queue ready which +will "store" log messages on a interim basis to prevent message loss. This +commonly applies to the forwarding kind of actions. Here is a list of Parameters +that are used for a action queue. Queues are described in the <a href="queues.html">respective article</a>.</p> +<ul> + <li><strong>Action.QueueCheckpointInterval</strong> number</li> + <li><strong>ActionQueueDequeueBatchSize </strong> number (default 16)</li> + <li><strong>ActionQueueDequeueSlowdown </strong> number + <br>number is timeout in microseconds (1000000us is 1sec!), default 0 (no delay). Simple rate-limiting!</li> + <li><strong>ActionQueueDiscardMark </strong>number (default 9750)</li> + <li><strong>ActionQueueDiscardSeverity </strong>number + <br>*numerical* severity! default 8 (nothing discarded)</li> + <li><strong>ActionQueueFileName </strong>name</li> + <li><strong>ActionQueueHighWaterMark </strong>number (default 8000)</li> + <li><strong>ActionQueueImmediateShutdown </strong> on/<b>off</b></li> + <li><strong>ActionQueueSize </strong> number</li> + <li><strong>ActionQueueLowWaterMark </strong> number (default 2000)</li> + <li><strong>ActionQueueMaxFileSize </strong>size_nbr (default 1m)</li> + <li><strong>ActionQueueTimeoutActionCompletion </strong>number + <br>number is timeout in ms (1000ms is 1sec!), default 1000, 0 means immediate!</li> + <li><strong>ActionQueueTimeoutEnqueue </strong>number + <br>number is timeout in ms (1000ms is 1sec!), default 2000, 0 means indefinite</li> + <li><strong>ActionQueueTimeoutShutdown </strong> number + <br>number is timeout in ms (1000ms is 1sec!), default 0 (indefinite)</li> + <li><strong>ActionQueueWorkerTimeoutThreadShutdown </strong>number + <br>number is timeout in ms (1000ms is 1sec!), default 60000 (1 minute)</li> + <li><strong>ActionQueueType </strong>FixedArray/LinkedList/<b>Direct</b>/Disk</li> + <li><strong>ActionQueueSaveOnShutdown </strong>on/<b>off</b></li> + <li><strong>ActionQueueWorkerThreads </strong>number + <br>number of worker threads, default 1, recommended 1</li> + <li><strong>ActionQueueWorkerThreadMinumumMessages </strong>number (default 100)</li> +</ul> +<h3>Multiple Actions</h3> +<p>You can have multiple actions for a single selector (or more precisely +a single filter of such a selector line). Each action must be called with +it's own action() statement and must all be enclosed by square brackets. +An example would be</p> +<p><code>*.=crit[ +<br>action(type="omfwd" target="10.10.10.1" port="514" transport="udp") +<br>action(type="omusrmsg" user="rger") +<br>action(type="omfile" file="/var/log/critmsgs") +<br>]</code></p> +<p>These three lines send critical messages to a host via UDP, the user rger +and also store them in /var/log/critmsgs. Using multiple actions per selector +is convenient and also offers a performance benefit. As the filter needs to +be evaluated only once, there is less computation required to process +the directive</p> +<h3>Stop/Discard</h3> +<p>The stop action is no real action. It is basically a trigger to stop +processing of the message. Though, it is basically used instead of action() +in a selector line. For obvious reasons, the result of "stop" is depending +on where in the configuration it is used. Please note, that once processing +of a message has been stopped, there is no way to retrieve it in later +configuration file lines. <br> +<br> +Stop can be highly effective if you want to filter out some annoying +messages that otherwise would fill your log files. To do that, place the +discard actions early in your log files. This often plays well with +property-based filters, giving you great freedom in specifying what you +do not want.<br> +<br> +It can be used like this:</p> +<p><code>Stop</code></p> +<p>Here, processing for all messages will be stopped and the messages will +be discarded. Though, using it this way is obviously stupid, especially at +the beginning of the configuration.</p> + <h2>Actions (legacy format)</h2> <p>The action field of a rule describes what to do with the message. In general, message content is written to a kind of "logfile". @@ -331,7 +448,6 @@ one template name for each given action. The default template is specific to each action. For a description of what a template is and what you can do with it, see "TEMPLATES" at the top of this document.</p> - <p>[<a href="manual.html">manual index</a>] [<a href="rsyslog_conf.html">rsyslog.conf</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> |