On Thu, 29 Jan 2015, James Lay wrote:
Thanks a bunch David...that really helps out. So I've settled on this for my
piping to the logstash machine:
if ( $programname == 'ASA-4-71005' or $programname == 'ASA-2-106100' or
$programname == 'ASA-5-710005' or $programname == 'ASA-2-106001' or
$programname == 'ASA-3-710003' or $programname == 'ASA-4-106023' or $msg
contains 'FW-6-DROP_PKT' ) then @x.x.x.x:7514
simpler version
if ( $programname == ['ASA-4-71005', 'ASA-2-106100', 'ASA-5-710005',
'ASA-2-106001', 'ASA-3-710003', 'ASA-4-106023'] or $msg
contains 'FW-6-DROP_PKT' ) then @x.x.x.x:7514
And so far this looks to work in my testing. My goal is kind of the below:
filter out crud
send certain things remote
log to messages
My next challange is getting a slew of funky things to be dropped. I have
weird things like:
Bleh/192.168.1.1(53)
that I'm wanting to drop. So far this works for each:
:msg, contains, "Bleh/192\.168\.1\.1\(53\)" stop
but I'd much rather combine them in a single line and use regex instead of
contains. This is where I'm running into issues so far. This works:
:msg, regex, "0x0004" stop
but the below gives me an error:
if ( $msg regex "0x0004" ) then stop
see http://www.rsyslog.com/doc/rainerscript.html
I think you need to use re_match
David Lang
6917.858632217:main thread : Called LogMsg, msg: error during parsing file
/etc/rsyslog.d/10-filter.conf, on or before line 24: syntax error on token
'regex'
rsyslogd: error during parsing file /etc/rsyslog.d/10-filter.conf, on or
before line 24: syntax error on token 'regex' [try
http://www.rsyslog.com/e/2207 ]
So I think I'm close...thanks for looking again David.
James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
