David Lang <[email protected]> writes: > On Thu, 17 Jan 2013, Micah Anderson wrote: > >> Hi, I'm trying to figure out how to replace all occurances of ipv4 >> addresses in syslog messages with some redacted replacement. For >> example, this could be used to convert: >> >> imaplogin: LOGIN, user=myuser, ip=[69.90.134.200], protocol=IMAP >> >> into this: >> >> imaplogin: LOGIN, user=myuser, ip=[0.0.0.0], protocol=IMAP >> >> Of course each service that is sent to syslog has a different format, so >> if the service was postfix, or ssh or whatever, the IP will appear in a >> different location in the log file (or nowhere). >> >> I can do this with syslog-ng relatively easily, as well as dsyslog, but >> I really would prefer to use rsyslog instead! >> >> I've been reading the manual to try and find out how this could be >> done. I thought perhaps a template with a property replacer would work, >> but the IP is part of the 'msg' property in different locations, and >> with property replacement I would have to select with a regexp >> everything that is *not* an IP and return that, which doens't seem >> right. >> >> I found the message modification module capability, and the >> documentation even suggests that it could be used to anonymize message >> content. However, that would require writing C and compiling it against >> rsyslog. I'm looking for something easier, that can be added to the >> configuration. >> >> I also found mmnormalize, which looks really powerful, but unless I >> misunderstand liblognorm, one has to define the structure of the >> incoming messages, which works if you know how all the incoming messages >> will be structured... but syslog messages coming from every possible >> service on a modern linux system means a huge number of different types >> of incoming message structures. > > As far as I know it is not possible to do it directly in the config files.
Ouch, that is unfortunate. This is possible to do with other syslog implementations, I wonder why not with rsyslog? > Note that adiscon will write the C code to make a filter like this for around > 500 euro, so if you don't want to do it yourself, you can have them do it. The problem isn't writing the C code, I can do that. The problem is that having to write C means having to compile it and distribute my own version of rsyslog, and everyone else who would like to use that facility would also need to do so, or I need to spend a lot of time trying to get it included upstream. All of that together is enough to make me pick another syslog solution that can do it with a couple of configuration lines. > Part of the problem you will have to deal with is how you define an IP > address. Do you want to include IPv6 addresses? are you willing to accept > 300.300.300.300 being identified as an IP address? etc. Yes, this is always the problem. IPv4 is the starting point. It is easy to write a regexp that would match on valid ipv4 addresses, and not 300.300.300.300. micah _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
