[rsyslog] Problem with config - multiple omrulesets?

Tue, 17 Apr 2012 09:38:20 -0700 

Hello,

I'm sure this is a stupid question, but I can't seem to get this to work. I'm 
collecting logs from a variety of network devices. What I'm trying to do is:

1) I want SSH-related logs to go to 3 files:
  a) All logs to go ?DailySSHFile
  b) Accepted logins go to ?DailySSHAcceptedFile
  c) Failed logins go to ?DailySSHFailedFile

2) There is a firewall, and logs should go to 4 files there:
  a) If the programname is RT_FLOw, go to ?HourlyFlowFile
  b) If the programname is RT_IDS, go to ?DailyIDSFile
  c) If the programname is RT_IDP, go to ?HourlyIDPFIle
  d) Everything else goes to the standard ?DailyFile

3) All other logs go to ?DailyFile

This seems like a great opportunity to use omruleset, with a ruleset for SSH, 
and a ruleset for the firewall. Here is the relevant bit of my config:

-- Begin config --

$ruleset SSH
$RulesetCreateMainQueue on
*.* -?DailySSHFile
if $msg contains 'Accepted' then -?DailySSHAcceptedFile
if $msg contains 'Failed' or $msg contains 'authentication error' then 
-?DailySSHFailedFile
&~

$ruleset firewall
$RulesetCreateMainQueue on
if $programname == 'RT_FLOW' then -?HourlyFlowFile
if $programname == 'RT_IDS' then -?DailyIDSFile
if $programname == 'RT_IDP' then -?HourlyIDPFile                                
                                                                                
                                                                               
&~

$ruleset networking_devices
$ActionOmrulesetRulesetName firewall
if $hostname == 'fw1' then :omruleset:

*.* -?DailyFile

$ActionOmrulesetRulesetName SSH
if $programname == 'sshd' then :omruleset:

-- End config --

SSH works fine, but all logs from fw1 are just logged to ?DailyFile. Here's a 
snippet with debugging turned on:

Debug line with all properties:
FROMHOST: 'lumberjack.xxx.illinois.edu', fromhost-ip: '128.174.4.xxx', 
HOSTNAME: 'fw1', PRI: 14,
syslogtag 'RT_FLOW:', programname: 'RT_FLOW', APP-NAME: 'RT_FLOW', PROCID: '', 
MSGID: '-',
TIMESTAMP: 'Apr 17 11:20:48', STRUCTURED-DATA: '-',
msg: ' RT_FLOW_SESSION_CLOSE: session closed TCP FIN: ...'
escaped msg: ' RT_FLOW_SESSION_CLOSE: session closed TCP FIN: ...'
inputname: imudp rawmsg: '<14>Apr 17 11:20:48 fw1 RT_FLOW: 
RT_FLOW_SESSION_CLOSE: session closed TCP FIN: ...'


Can anyone see any glaring issues with this setup? Or, perhaps a better way to 
do it? I'm on rsyslog 6.3.8.

Many thanks!

-- 
Vlad Grigorescu | IT Security Engineer
Office of Privacy and Information Assurance
University of Illinois at Urbana-Champaign
0x632E5272 | 217.244.1922
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

Reply via email to