On Fri, May 16, 2014 at 4:52 PM, Rainer Gerhards <[email protected]>wrote:
> > On Fri, May 16, 2014 at 4:33 PM, Eivind Olsen <[email protected]> wrote: > >> I'm currently trying to figure out why I'm unable to get some filter to >> work. Due to OS policy, I'm stuck with the version of rsyslog bundled with >> RHEL6, so that's rsyslog 5.8.10. >> >> I've looked and looked, and can't really see what I'm doing wrong (but I'm >> sure it's something, since it's not behaving the way I want it to :) >> >> I have configured some templates and two filters in a file, >> /etc/rsyslog.d/firewall.conf. >> >> -START- >> $template >> >> dest_no-osl001-asa00_log,"/var/log/firewall/no-osl001-asa00_log/no-osl001-asa00_log-%$YEAR%%$MONTH%%$DAY%" >> $template >> >> dest_no-osl001-asa00_changelog,"/var/log/firewall/no-osl001-asa00_changelog/no-osl001-asa00_changelog-%$YEAR%%$MONTH%%$DAY%" >> >> if $fromhost-ip == '192.168.1.10' then -?dest_no-osl001-asa00_log >> if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then >> -?dest_no-osl001-asa00_changelog >> -STOP- >> > > "STOP" is not supported in that old version. Also, block nesting is not > correct. Try: > > > if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then > -?dest_no-osl001-asa00_changelog > & STOP > lol, of course *NO* stop: if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then -?dest_no-osl001-asa00_changelog & ~ (this is the tilde character). Rainer > > The "& stop" must be at the beginning of a new line. The rest must be on > ONE line *immediately* in front of it! > > Rainer > > >> >> Here's an example of a log line that gets logged to the filename in the >> template dest_no-osl001-asa00_log: >> >> May 16 16:19:03 no-osl001-asa00 %ASA-3-611101: User authentication >> succeeded: Uname: eivind >> >> I know the first part of the match works (the IP address), since these log >> messages actually make it into the first file. Am I doing something wrong >> when it comes to the "and $msg contains"-part? >> >> Regards >> Eivind Olsen >> >> >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
