On 2015-01-29 02:59 PM, David Lang wrote:
On Thu, 29 Jan 2015, James Lay wrote:
Thanks a bunch David...that really helps out. So I've settled on
this for my piping to the logstash machine:
if ( $programname == 'ASA-4-71005' or $programname == 'ASA-2-106100'
or $programname == 'ASA-5-710005' or $programname == 'ASA-2-106001' or
$programname == 'ASA-3-710003' or $programname == 'ASA-4-106023' or
$msg contains 'FW-6-DROP_PKT' ) then @x.x.x.x:7514
simpler version
if ( $programname == ['ASA-4-71005', 'ASA-2-106100', 'ASA-5-710005',
'ASA-2-106001', 'ASA-3-710003', 'ASA-4-106023'] or $msg contains
'FW-6-DROP_PKT' ) then @x.x.x.x:7514
And so far this looks to work in my testing. My goal is kind of the
below:
filter out crud
send certain things remote
log to messages
My next challange is getting a slew of funky things to be dropped.
I have weird things like:
Bleh/192.168.1.1(53)
that I'm wanting to drop. So far this works for each:
:msg, contains, "Bleh/192\.168\.1\.1\(53\)" stop
but I'd much rather combine them in a single line and use regex
instead of contains. This is where I'm running into issues so far.
This works:
:msg, regex, "0x0004" stop
but the below gives me an error:
if ( $msg regex "0x0004" ) then stop
see http://www.rsyslog.com/doc/rainerscript.html
I think you need to use re_match
David Lang
6917.858632217:main thread : Called LogMsg, msg: error during
parsing file /etc/rsyslog.d/10-filter.conf, on or before line 24:
syntax error on token 'regex'
rsyslogd: error during parsing file /etc/rsyslog.d/10-filter.conf,
on or before line 24: syntax error on token 'regex' [try
http://www.rsyslog.com/e/2207 ]
So I think I'm close...thanks for looking again David.
James
Awesome...thanks so much David...I'll get to researching re_match.
James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
