On Thu, 17 Jan 2013, Micah Anderson wrote:
Hi, I'm trying to figure out how to replace all occurances of ipv4
addresses in syslog messages with some redacted replacement. For
example, this could be used to convert:
imaplogin: LOGIN, user=myuser, ip=[69.90.134.200], protocol=IMAP
into this:
imaplogin: LOGIN, user=myuser, ip=[0.0.0.0], protocol=IMAP
Of course each service that is sent to syslog has a different format, so
if the service was postfix, or ssh or whatever, the IP will appear in a
different location in the log file (or nowhere).
I can do this with syslog-ng relatively easily, as well as dsyslog, but
I really would prefer to use rsyslog instead!
I've been reading the manual to try and find out how this could be
done. I thought perhaps a template with a property replacer would work,
but the IP is part of the 'msg' property in different locations, and
with property replacement I would have to select with a regexp
everything that is *not* an IP and return that, which doens't seem
right.
I found the message modification module capability, and the
documentation even suggests that it could be used to anonymize message
content. However, that would require writing C and compiling it against
rsyslog. I'm looking for something easier, that can be added to the
configuration.
I also found mmnormalize, which looks really powerful, but unless I
misunderstand liblognorm, one has to define the structure of the
incoming messages, which works if you know how all the incoming messages
will be structured... but syslog messages coming from every possible
service on a modern linux system means a huge number of different types
of incoming message structures.
As far as I know it is not possible to do it directly in the config files.
Note that adiscon will write the C code to make a filter like this for around
500 euro, so if you don't want to do it yourself, you can have them do it.
Part of the problem you will have to deal with is how you define an IP address.
Do you want to include IPv6 addresses? are you willing to accept 300.300.300.300
being identified as an IP address? etc.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
