I need to deactivate RepeatedMsgReduction on my Linux server to allow fail2ban to evaluate every failed login attempt. (See this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440037)
As I don't want to flood my log files, I would love to have that feature only on those logfiles that fail2ban scans, especially mail.warn.
Is there a way to set a conditional rule/filter in rsyslog.conf that sets
$RepeatedMsgReduction = off
iff the message is bound to mail.warn?
Ok, reading the manual and docs again and again now brought me to the solution:
Reading http://www.rsyslog.com/doc/rsconf1_repeatedmsgreduction.html tells you, that the directive
remains valid until the next directive is specified.
This means, if you want all messages of mail.warn, but want reduced messages in all others (mail.info and mail.err), change the configuration to look like this (assuming, that message reduction is globally turned on):
With this, mail.warn will contain all messages logged, while the other log levels (and files) will contain the famous "last message repeated n times" lines. This allows e.g. fail2ban to examine mail.warn for evil activities, while the other log files stay "clean".