On 2015-01-29 12:54 PM, David Lang wrote:
On Thu, 29 Jan 2015, James Lay wrote:
Date: Thu, 29 Jan 2015 09:46:00 -0700
From: James Lay <[email protected]>
To: rsyslog <[email protected]>
Subject: [rsyslog] Making the switch: syslog-ng to rsyslog
Hey All,
Topic says it....I've been reading through the 8.6.0 documentation
to make sure I don't mess this up. I also hit the mailing list
archives, but didn't seem to find anything that was applicable to my
situation. Here's what I have:
#####################################
source s_local {
unix-stream("/dev/log");
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514));
file("/proc/kmsg");
};
filter f_syslogfilter {
not (
message("0x0004")
or message("File name too long:")
);
};
filter f_firewall {
program("ASA-4-71005")
or program("ASA-2-106100")
or message("FW-6-DROP_PKT")
};
destination d_file {
file("/syslogs/messages");
};
destination d_syslogserver { udp ("x.x.x.x", port(7514)); };
log {
source(s_local);
filter(f_syslogfilter);
destination(d_file);
filter(f_firewall);
destination(d_syslogserver);
};
######################################
My requirements are, in plain English, "filter all unwanted first,
then, if your a firewall hit, duplicate (but still log) to a remote
machine (logstash)". The source s_local I think I have already from
the stock /etc/rsyslog.conf:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
My next portion is the filter...the whole point of this filter is to
not log the entries. So as I understand it, I would want to create a
new file in /etc/rsyslog.d/10-filter.conf that would contain:
:msg, contains, "0x0004" ~
:msg, contains, "File name too long:" ~
...
It's the next section that I'm having an issue with. I'm thinking I
need to do something like:
if msg, contains, "FW-6-DROP_PKT" or programname, contains,
"ASA-2-106100" then action ( type="omudpspoof" target="x.x.x.x"
port="7514")
a couple things, first you need to have a $ in front of the variable
names, second, you don't use commas in script type filters, third a
minor detail, 'contains' is significantly slower than ==. so I would
do
if $programname == '%ASA-2-106100' or $msg contains "FW-6-DROP_PKT"
then {
action()
}
/var/log/messages
This unconditionally puts any messages that have not been dropped
into /var/log/messages and does the action if it matches the filter.
Also, why are you doing omspoof? that is significantly slower than
omfwd and is only needed if you are sending to a destination the
ignores the hostname in the message and instead looks at the IP
address the message came from. It allows rsyslog to forge the UDP
source so that it looks to the recipient like the message came from
the original server rather than from the rsyslog relay box. Since
your
syslog-ng config has the packet originating from the relay box, you
should not need this.
David Lang
My question is a) is the above if statement even correct, and b)
should I create another file, /etc/rsyslog.d/11-firewall.conf, or
include the above in /etc/rsyslog.d/10-filter.conf? I plan on adding
more things to look at in the future (like ssh logins), so I figure I
might as well get this setup correctly right from the start. Thanks
for any help...really appreciate it.
James
Thanks a bunch David...that really helps out. So I've settled on this
for my piping to the logstash machine:
if ( $programname == 'ASA-4-71005' or $programname == 'ASA-2-106100' or
$programname == 'ASA-5-710005' or $programname == 'ASA-2-106001' or
$programname == 'ASA-3-710003' or $programname == 'ASA-4-106023' or $msg
contains 'FW-6-DROP_PKT' ) then @x.x.x.x:7514
And so far this looks to work in my testing. My goal is kind of the
below:
filter out crud
send certain things remote
log to messages
My next challange is getting a slew of funky things to be dropped. I
have weird things like:
Bleh/192.168.1.1(53)
that I'm wanting to drop. So far this works for each:
:msg, contains, "Bleh/192\.168\.1\.1\(53\)" stop
but I'd much rather combine them in a single line and use regex instead
of contains. This is where I'm running into issues so far. This works:
:msg, regex, "0x0004" stop
but the below gives me an error:
if ( $msg regex "0x0004" ) then stop
6917.858632217:main thread : Called LogMsg, msg: error during
parsing file /etc/rsyslog.d/10-filter.conf, on or before line 24: syntax
error on token 'regex'
rsyslogd: error during parsing file /etc/rsyslog.d/10-filter.conf, on
or before line 24: syntax error on token 'regex' [try
http://www.rsyslog.com/e/2207 ]
So I think I'm close...thanks for looking again David.
James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
