Re: [rsyslog] rsyslog filtering by port ?

Mon, 21 Mar 2011 15:09:34 -0700 

On Mon, 21 Mar 2011, Jason Frisvold wrote:


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

        I'm working on a centralized logging system and I'm using rsyslog as
our syslog daemon.  I'm looking to accept logs from servers, routers,
switches, and other appliances.  Our syslog server is a RHEL 6 system
running rsyslog 4.6.2.

        For router/switch devices, syslog comes in on a single facility and
filtering is relatively easy.  But when I start combining this with
other sources such as servers, I run into problems.

        To start, I configured a firewall device to send syslog via udp:10003.
I can filter these via IP :

$ModLoad imudp.so
$UDPServerRun 10003

if $source == '192.168.1.1' then /logs/syslog/FWSM_ASA/192.168.1.1.log
if $source == '192.168.2.1' then /logs/syslog/FWSM_ASA/192.168.2.1.log
...

if $source == '192.168.1.1' or $source == '192.168.2.1' ... then ~

# And then the rest of the stock rsyslog.conf is below


It would be nice if I could use a template to deal with the above, but
the only way I can think to do that would be if I could filter by the
destination port, ie 10003.  So I could send firewall data to 10003,
routers to 10004, etc.

For server, I was planning on using a TCP connection, eventually a TLS
TCP connection.  Again, templating seems the right way to go, but my
testing thus far ended up with all of the data mixed up one way or another.

Has anyone done this?  Can you share your rsyslog.conf file so I can see
how this is accomplished?
using the very old 4.6.2 you are limited in what you can do, with more modern versions you can create separate rulesets and tie them in to separate inputs.
however, I think that if you go back and look at your logs, you will find that you can do some filtering in a much simpler way. 

for example,
all Cisco equipment logs with something like %ASA (for firewalls) at the beginning of it's programname, so you could have a filter that matched all logs with that pattern, and then used the dynafile option to split them out to different files per machine (followed by another line to throw away the log so that it doesn't match anything else)
repeat this for all the things that are clearly identified, and then so a similar dynafile log for the remainder (the servers) 

David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com

Reply via email to