On Tue, 27 Oct 2009, Jonathan Bond-Caron wrote: > Date: Tue, 27 Oct 2009 15:40:42 -0400 > From: Jonathan Bond-Caron <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: [email protected] > Subject: [rsyslog] Property-Based Filters, not working? > > I tried adding the following to my config file: > > > > :msg,contains,"MSWinEventLog" > > > > *.* /var/log/windows.log > > > > :msg, !contains, "MSWinEventLog" > > > > *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err > /var/log/messages
this is not how the property based filters work. I made the same mistake instead of :msg,contains,"MSWinEventLog" *.* /var/log/windows.log it should be :msg,contains,"MSWinEventLog" /var/log/windows.log when you do filter rules those filters are everything, you don't also do facility/priority filters as well (or if you need to do so, you need to make a compound if (() and ()) type rule) FYI, what I do with snare is $template fixsnareFormat,"%timereported% %HOSTNAME% MSWinEventLog %syslogtag:18:$%%msg:::drop-last-lf%\n" $template fixsnareForwardFormat,"<%pri%>%timereported% %HOSTNAME% MSWinEventLog %syslogtag:18:$:%%msg:::drop-last-lf%\n" $template fixsnareFormat2,"%timereported% %fromhost-ip% broken-MSWinEventLog %HOSTNAME% %syslogtag:18:$%%msg:::drop-last-lf%\n" $template fixsnareForwardFormat2,"<%pri%>%timereported% %fromhost-ip% broken-MSWinEventLog %HOSTNAME% %syslogtag:18:$:%%msg:::drop-last-lf%\n" :hostname, contains ,"MSWinEventLog" /var/log/messages;fixsnareFormat2 & @192.168.210.8;fixsnareForwardFormat2 & ~ :syslogtag, startswith, "MSWinEventLog\011" /var/log/messages;fixsnareFormat & @192.168.210.8;fixsnareForwardFormat & ~ *.* /var/log/messages;TraditionalFormat *.* @192.168.210.8 the fixsnare*2 formats are to handle cases where I haven't tracked down why snare is sending things incorrectly (8 of a couple hundred servers) David Lang > security.* /var/log/security > > auth.info;authpriv.info /var/log/auth.log > > > > > > However the filter doesn't seem to apply, when debugging the parse sequence > goes like this: > > > > 5250.008750501:main thread: Action 0x80a8600: queue 0x8094c00 created > > 5250.008823471:main thread: cfline: ':msg,contains,"MSWinEventLog"' > > 5250.008884805:main thread: selector line successfully processed > > 5250.008943799:main thread: - property-based filter > > 5250.009059262:main thread: tried selector action for builtin-file: -2001 > > 5250.009130893:main thread: tried selector action for builtin-fwd: -2001 > > 5250.009195089:main thread: tried selector action for builtin-shell: -2001 > > 5250.009259497:main thread: tried selector action for builtin-discard: -2001 > > 5250.009324602:main thread: tried selector action for builtin-usrmsg: -2001 > > 5250.009394008:main thread: tried selector action for ompgsql.so: -2001 > > 5250.009454057:main thread: config line NOT successfully processed > > > > Am I missing something? > > > > rsyslogd 4.4.2, compiled with: > > FEATURE_REGEXP: Yes > > FEATURE_LARGEFILE: Yes > > FEATURE_NETZIP (message compression): Yes > > GSSAPI Kerberos 5 support: No > > FEATURE_DEBUG (debug build, slow code): No > > Atomic operations supported: No > > Runtime Instrumentation (slow code): No > > > > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
