Thanks. This is working. I wasn't sure you could use this syntax within rulesets.
Tim ________________________________________ From: David Lang <[email protected]> Sent: Friday, January 6, 2017 4:18 PM To: Tim Mori via rsyslog Cc: Tim Mori Subject: Re: [rsyslog] Property filters with multiple regex requirements On Fri, 6 Jan 2017, Tim Mori via rsyslog wrote: > Date: Fri, 6 Jan 2017 20:56:41 +0000 > From: Tim Mori via rsyslog <[email protected]> > To: "[email protected]" <[email protected]> > Cc: Tim Mori <[email protected]> > Subject: [rsyslog] Property filters with multiple regex requirements > > I'm trying to upgrade an older configuration and the way the previous > maintainer set things up may be preventing me from achieving a few goals. > > > What I want to do is split logs coming in into a few buckets, VMware logs, > Windows Logs and then everything else. In the past it was just two, so the > original rsyslog rules were set up to process the WinEvent log and then > everything else by simply: > > > > ## Everything else > :rawmsg, !regex, "MSWinEventLog" { action(type="omfile" > File="/var/rsyslog/work/everything" DirCreateMode="0755" > FileCreateMode="0644" ioBufferSize="64k" queue.filename="disk-queue2" > queue.size="1000000" queue.spoolDirectory="/var/rsyslog/work" > queue.type="LinkedList" ) } > > My question is can the "everything else" handle more than one property > filter? If so, what would be the correct syntax for something like: > > :rawmsg, !regex, "MSWinEventLog"? OR :fromhost-ip !startwith "10.10." > > > I suppose the other method is with if, then, else statement, but I could not > find out how or whether you can use that within a ruleset. everything works the same way inside a ruleset you cannot do an or in that syntax, you would have to do if $programname == "MSWinEventLog" or $fromhost-ip startswith "10.10" then <action> or (what I think you are really going for) if $programname == "MSWinEventLog" then { actions } else if $fromhost-ip startswith "10.10" then { actions } David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
