On Tue, 22 Sep 2015, Jason 'XenoPhage' Frisvold wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I’ve recently upgraded to 8.x and I think I need to update some of my
rsyslog configs.. Where I used to have something like this :
:msg, startswith, “SOURCE ADDRESS DROP: ” -/var/log/iptables.log
& ~
I think I need to move to something like this :
if ($msg startswith “SOURCE ADDRESS DROP: ”) then {
action(type="omfile" file="/var/log/iptables.log” template="outfmt")
stop
}
First off, you shouldn't need to change anything, the existing config should
still work
I've tried this, but I've run into a few problems. First, I’ve
noticed is that the startswith isn’t matching anymore.. there seems
to be a timestamp at the beginning of the messages now, but I'm not
sure what's providing them. For example, this is what I see in
/var/log/messages :
Sep 22 15:57:42 myserver kernel: [344863.908035] SOURCE ADDRESS DROP:
IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=0.0.0.0
DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
That timestamp value within [] seems to be new… So a startswith
“SOURCE ADDRESS DROP: “ isn’t matching anymore..
The bigger problem I've noticed is that replacing the :msg syntax with
the if..then syntax above results in rsyslog not logging anything,
anywhere. It's running according to both ps and systemctl, but
there's no output. Removing the if..then syntax brings back logging,
though nothing gets logged to the iptables.log file.
Can someone point out what I'm doing wrong?
It sounds as if you have a syntax error, run 'rsyslogd -N2' to have it check the
config for such errors. When you have a syntax error, strange things can happen.
The timestamp should not be new, the kernel has been putting it in for a long
time, unless you changed kernel/boot configs as well (did you do an OS upgrade
that introduced rsyslog 8.x?)
There isn't a great way to bypass the timestamp once it's in the message. The
best method is probably to setup a mmnormalize ruleset to extract things (and it
can convert the entire line into json if that is useful to you)
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
