Greetings, I'm new to rsyslog and have very limited understanding knowledge on the subject, I've googled and read all of the online documentation that I could find, however I'm still struggling to find out if I can filter to exclude messages. I have a lot of auditd events that I don't need to send to my centralized collection server, such as the one below.
type=SYSCALL msg=audit(1336411413.690:393395): arch=40000003 syscall=10 per=400000 success=yes exit=0 a0=89054c5 a1=0 a2=b7f6ddcc a3=64 items=2 ppid=20173 pid=20174 auid=100033 uid=0 gid=0 euid=2 suid=0 fsuid=2 egid=2 sgid=0 fsgid=2 tty=(none) ses=2648 comm="vasd" exe="/opt/quest/sbin/vasd" key="delete" Is there a way to filter these messages out, so that they're not sent to a syslog server or saved in the /var/log/audit log? Are there any good books on rsyslog that would be a good reference for a newbie? Any help or direction would be appreciated ! Thanks.. Larry E. Erdahl Information Security Services Information Security Monitoring Group 1 Meridian Crossing Richfield, MN 55423 Mail Code: EP-MN-MS6I Office Phone: (612)973-7153 Cell Phone (612)964-7379 U.S. BANCORP made the following annotations --------------------------------------------------------------------- Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation. --------------------------------------------------------------------- _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards
