On Fri, May 16, 2014 at 4:33 PM, Eivind Olsen <[email protected]> wrote:
> I'm currently trying to figure out why I'm unable to get some filter to > work. Due to OS policy, I'm stuck with the version of rsyslog bundled with > RHEL6, so that's rsyslog 5.8.10. > > I've looked and looked, and can't really see what I'm doing wrong (but I'm > sure it's something, since it's not behaving the way I want it to :) > > I have configured some templates and two filters in a file, > /etc/rsyslog.d/firewall.conf. > > -START- > $template > > dest_no-osl001-asa00_log,"/var/log/firewall/no-osl001-asa00_log/no-osl001-asa00_log-%$YEAR%%$MONTH%%$DAY%" > $template > > dest_no-osl001-asa00_changelog,"/var/log/firewall/no-osl001-asa00_changelog/no-osl001-asa00_changelog-%$YEAR%%$MONTH%%$DAY%" > > if $fromhost-ip == '192.168.1.10' then -?dest_no-osl001-asa00_log > if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then > -?dest_no-osl001-asa00_changelog > -STOP- > "STOP" is not supported in that old version. Also, block nesting is not correct. Try: if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then -?dest_no-osl001-asa00_changelog & STOP The "& stop" must be at the beginning of a new line. The rest must be on ONE line *immediately* in front of it! Rainer > > Here's an example of a log line that gets logged to the filename in the > template dest_no-osl001-asa00_log: > > May 16 16:19:03 no-osl001-asa00 %ASA-3-611101: User authentication > succeeded: Uname: eivind > > I know the first part of the match works (the IP address), since these log > messages actually make it into the first file. Am I doing something wrong > when it comes to the "and $msg contains"-part? > > Regards > Eivind Olsen > > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
