On Thu, 29 Jan 2015, James Lay wrote:
Date: Thu, 29 Jan 2015 09:46:00 -0700 From: James Lay <[email protected]> To: rsyslog <[email protected]> Subject: [rsyslog] Making the switch: syslog-ng to rsyslogHey All,Topic says it....I've been reading through the 8.6.0 documentation to make sure I don't mess this up. I also hit the mailing list archives, but didn't seem to find anything that was applicable to my situation. Here's what I have:##################################### source s_local { unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(514)); file("/proc/kmsg"); }; filter f_syslogfilter { not ( message("0x0004") or message("File name too long:") ); }; filter f_firewall { program("ASA-4-71005") or program("ASA-2-106100") or message("FW-6-DROP_PKT") }; destination d_file { file("/syslogs/messages"); }; destination d_syslogserver { udp ("x.x.x.x", port(7514)); }; log { source(s_local); filter(f_syslogfilter); destination(d_file); filter(f_firewall); destination(d_syslogserver); }; ######################################My requirements are, in plain English, "filter all unwanted first, then, if your a firewall hit, duplicate (but still log) to a remote machine (logstash)". The source s_local I think I have already from the stock /etc/rsyslog.conf:$ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514My next portion is the filter...the whole point of this filter is to not log the entries. So as I understand it, I would want to create a new file in /etc/rsyslog.d/10-filter.conf that would contain::msg, contains, "0x0004" ~ :msg, contains, "File name too long:" ~ ...It's the next section that I'm having an issue with. I'm thinking I need to do something like:if msg, contains, "FW-6-DROP_PKT" or programname, contains, "ASA-2-106100" then action ( type="omudpspoof" target="x.x.x.x" port="7514")
a couple things, first you need to have a $ in front of the variable names, second, you don't use commas in script type filters, third a minor detail, 'contains' is significantly slower than ==. so I would do
if $programname == '%ASA-2-106100' or $msg contains "FW-6-DROP_PKT" then {
action()
}
/var/log/messages
This unconditionally puts any messages that have not been dropped into
/var/log/messages and does the action if it matches the filter.
Also, why are you doing omspoof? that is significantly slower than omfwd and is only needed if you are sending to a destination the ignores the hostname in the message and instead looks at the IP address the message came from. It allows rsyslog to forge the UDP source so that it looks to the recipient like the message came from the original server rather than from the rsyslog relay box. Since your syslog-ng config has the packet originating from the relay box, you should not need this.
David Lang
My question is a) is the above if statement even correct, and b) should I create another file, /etc/rsyslog.d/11-firewall.conf, or include the above in /etc/rsyslog.d/10-filter.conf? I plan on adding more things to look at in the future (like ssh logins), so I figure I might as well get this setup correctly right from the start. Thanks for any help...really appreciate it.James _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhardsNOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
