On Fri, 16 May 2014, Rainer Gerhards wrote:
On Fri, May 16, 2014 at 4:52 PM, Rainer Gerhards
<[email protected]>wrote:
On Fri, May 16, 2014 at 4:33 PM, Eivind Olsen <[email protected]> wrote:
I'm currently trying to figure out why I'm unable to get some filter to
work. Due to OS policy, I'm stuck with the version of rsyslog bundled with
RHEL6, so that's rsyslog 5.8.10.
I've looked and looked, and can't really see what I'm doing wrong (but I'm
sure it's something, since it's not behaving the way I want it to :)
I have configured some templates and two filters in a file,
/etc/rsyslog.d/firewall.conf.
-START-
$template
dest_no-osl001-asa00_log,"/var/log/firewall/no-osl001-asa00_log/no-osl001-asa00_log-%$YEAR%%$MONTH%%$DAY%"
$template
dest_no-osl001-asa00_changelog,"/var/log/firewall/no-osl001-asa00_changelog/no-osl001-asa00_changelog-%$YEAR%%$MONTH%%$DAY%"
if $fromhost-ip == '192.168.1.10' then -?dest_no-osl001-asa00_log
if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then
-?dest_no-osl001-asa00_changelog
-STOP-
"STOP" is not supported in that old version. Also, block nesting is not
correct. Try:
if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then
-?dest_no-osl001-asa00_changelog
& STOP
lol, of course *NO* stop:
if $fromhost-ip == '192.168.1.10' and $msg contains 'ASA-3-611101' then
-?dest_no-osl001-asa00_changelog
& ~
(this is the tilde character).
Also, I don't think that ASA-3-611101 is part of the message, I think it's going
to be the syslogtag
write a log with the RSYSLOG_DebugFormat template to check
also, putting - before the destination has no effect in rsyslog.
David Lang
Rainer
The "& stop" must be at the beginning of a new line. The rest must be on
ONE line *immediately* in front of it!
Rainer
Here's an example of a log line that gets logged to the filename in the
template dest_no-osl001-asa00_log:
May 16 16:19:03 no-osl001-asa00 %ASA-3-611101: User authentication
succeeded: Uname: eivind
I know the first part of the match works (the IP address), since these log
messages actually make it into the first file. Am I doing something wrong
when it comes to the "and $msg contains"-part?
Regards
Eivind Olsen
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
