[rsyslog] Making the switch: syslog-ng to rsyslog

Thu, 29 Jan 2015 08:46:45 -0800 

Hey All,
Topic says it....I've been reading through the 8.6.0 documentation to make sure I don't mess this up. I also hit the mailing list archives, but didn't seem to find anything that was applicable to my situation. Here's what I have: 
#####################################
source s_local {
        unix-stream("/dev/log");
        udp(ip(0.0.0.0) port(514));
        tcp(ip(0.0.0.0) port(514));
        file("/proc/kmsg");
};

filter f_syslogfilter {
        not (
                message("0x0004")
                or message("File name too long:")
        );
};

filter f_firewall {
        program("ASA-4-71005")
        or program("ASA-2-106100")
        or message("FW-6-DROP_PKT")
};

destination d_file {
        file("/syslogs/messages");
};

destination d_syslogserver { udp ("x.x.x.x", port(7514)); };

log {
        source(s_local);
        filter(f_syslogfilter);
        destination(d_file);
        filter(f_firewall);
        destination(d_syslogserver);
};
######################################
My requirements are, in plain English, "filter all unwanted first, then, if your a firewall hit, duplicate (but still log) to a remote machine (logstash)". The source s_local I think I have already from the stock /etc/rsyslog.conf: 


$ModLoad imudp
$UDPServerRun 514

$ModLoad imtcp
$InputTCPServerRun 514
My next portion is the filter...the whole point of this filter is to not log the entries. So as I understand it, I would want to create a new file in /etc/rsyslog.d/10-filter.conf that would contain: 

:msg, contains, "0x0004" ~
:msg, contains, "File name too long:" ~
...
It's the next section that I'm having an issue with. I'm thinking I need to do something like:
if msg, contains, "FW-6-DROP_PKT" or programname, contains, "ASA-2-106100" then action ( type="omudpspoof" target="x.x.x.x" port="7514")
My question is a) is the above if statement even correct, and b) should I create another file, /etc/rsyslog.d/11-firewall.conf, or include the above in /etc/rsyslog.d/10-filter.conf? I plan on adding more things to look at in the future (like ssh logins), so I figure I might as well get this setup correctly right from the start. Thanks for any help...really appreciate it. 

James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to