Markus, this may also be useful:
http://wiki.rsyslog.com/index.php/Sysklogd_drop-in_with_remote_logs_separated _by_dynamic_directory Rainer > -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Rainer Gerhards > Sent: Wednesday, October 06, 2010 2:17 PM > To: rsyslog-users > Subject: Re: [rsyslog] Outgoing Mails Logfile - Ported from Syslog-ng > > Hi Markus, > > unfortunately I do not have time at the moment to go through this at > full > length. But a couple of points below: > > > -----Original Message----- > > From: [email protected] [mailto:rsyslog- > > [email protected]] On Behalf Of Markus Stegmueller > > Sent: Monday, October 04, 2010 12:52 PM > > To: [email protected] > > Subject: [rsyslog] Outgoing Mails Logfile - Ported from Syslog-ng > > > > Hello, > > > > I am trying to convert my syslog-ng Filter to a working rsyslog > Filter > > Configuration. Here is my > > syslog-ng Filter: > > > > destination d_antispam { file("/var/log/mail_antispam"); }; > > > > filter f_antispam { facility(mail) and not match("[email protected]") > > and not > > match("localhost.example.de") and not match("[email protected]") and > not > > match("maildummy@") and not > > match("nob...@example") and not match("spamdrop") and not > > match("NOQUEUE") and not match("reject:") > > and ((match("to=<") and match("status=sent") and not > > match("relay=procmail") and not > > match("relay=/var/lib/imap/socket/lmtp") and not match("relay=local") > > and not > > match("relay=10.0.50.2")) or match("from=<.*example\.de>")); }; > > > > log { source(src); filter(f_antispam); destination(d_antispam); }; > > > > This Filter is to get all the mails, that were send from example.de > > users, so I can re-use them to > > make a whitelist. > > I don't know syslog-ng syntax, but guess I got an idea of what you do. > > > > > > > I tried to make an expression Based Filter: > > > > if $syslogfacility-text == 'mail' and not $msg contains > > '[email protected]' and not $msg contains > > 'localhost.example.de' and not $msg contains '[email protected]' and > not > > $msg contains 'maildummy@' > > and not $msg contains 'nob...@example' and not $msg contains > 'spamdrop' > > and not $msg contains > > 'NOQUEUE' and not $msg contains 'reject:' and ( $msg contains 'to=<' > > and $msg contains 'status=sent' > > and not $msg contains 'relay=procmail' and not $msg contains > > 'relay=/var/lib/imap/socket/lmtp' and > > not $msg contains 'relay=local' and not $msg contains > 'relay=10.0.50.2' > > ) or $msg contains > > 'from=<.*example.de>' then /var/log/mail_antispam > > This sounds basically correct. Is it all on one line? if not, you need > to add > "\" at the end of each line, an artifact of the current config system. > like > this: > > if $syslogfacility-text == 'mail' and not $msg contains \ > '[email protected]' and not $msg contains \ > 'localhost.example.de' and not $msg contains '[email protected]' and not > \ > ... > > If that does not solve the issue, please reduce the logic until it > works. > Then we can check what the culprit is. Also make sure you do not get > any > errors while reading the config file. Finally, a look at rsyslog's > debug log > may help. > > > And also a property based: > > > > :msg, contains, "to=<" ~ > > :msg, contains, "status=sent" ~ > > :msg, regex, "from=<*example\.de>" ~ > > :msg, !contains, "localhost.example.de" ~ > > :msg, !contains, "[email protected]" ~ > > :msg, !contains, "maildummy@" ~ > > :msg, !contains, "[email protected]" ~ > > :msg, !contains, "spamdrop" ~ > > :msg, !contains, "NOQUEUE" ~ > > :msg, !contains, "reject:" ~ > > :msg, !contains, "relay=procmail" ~ > > :msg, !contains, "relay=/var/lib/imap/socket/lmtp" ~ > > :msg, !contains, "relay=local" ~ > > :msg, !contains, "relay=10.0.50.2" ~ > > mail.* -/var/log/mail_antispam > > > > > > At the Property based Filters - I do not understand how to make an > AND > > or an OR... and at the > > expression based one, > > Because that's not possible. For boolean filters, you need to use the > if-type > of filter. > > HTH > Rainer > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
