Hi, I'm trying to figure out how to replace all occurances of ipv4 addresses in syslog messages with some redacted replacement. For example, this could be used to convert:
imaplogin: LOGIN, user=myuser, ip=[69.90.134.200], protocol=IMAP into this: imaplogin: LOGIN, user=myuser, ip=[0.0.0.0], protocol=IMAP Of course each service that is sent to syslog has a different format, so if the service was postfix, or ssh or whatever, the IP will appear in a different location in the log file (or nowhere). I can do this with syslog-ng relatively easily, as well as dsyslog, but I really would prefer to use rsyslog instead! I've been reading the manual to try and find out how this could be done. I thought perhaps a template with a property replacer would work, but the IP is part of the 'msg' property in different locations, and with property replacement I would have to select with a regexp everything that is *not* an IP and return that, which doens't seem right. I found the message modification module capability, and the documentation even suggests that it could be used to anonymize message content. However, that would require writing C and compiling it against rsyslog. I'm looking for something easier, that can be added to the configuration. I also found mmnormalize, which looks really powerful, but unless I misunderstand liblognorm, one has to define the structure of the incoming messages, which works if you know how all the incoming messages will be structured... but syslog messages coming from every possible service on a modern linux system means a huge number of different types of incoming message structures. Thanks for any suggestions or ideas! micah _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
