On 1/31/2017 7:17 AM, James wrote:
Hi,
I'm new to rsyslog, trying to get something fairly basic to work but
failing to follow the documentation it seems.
I use fail2ban which is hard-coded to output its syslog at facility
"daemon". I could edit the source, but would rather skin the cat another
way.
daemon.* obviously has lots of other stuff (DHCP, Automount, etc) and I'd
like to filter it. I want to send all fail2ban logs to a separate file and
I want to send the lines specific to ban/unbans to a remote server. What
I've got in my rsyslog.conf is:
#Log all fail2ban locally
:syslogtag, contains, "fail2ban"
daemon.* /var/log/fail2ban.log
#Log bans & unbans to remote
:msg, contains, "ssh-slowattack"
daemon.* @@10.0.0.1:5000
What I get with this is a blank fail2ban.log and *all* daemon facility
events on the remote server. Example log portion:
Makes sense, if I'm reading this right that's exactly what you told the
config to do. Try:
#Log all fail2ban locally
:syslogtag, contains, "fail2ban" /var/log/fail2ban.log
But that's assuming ...
Rsyslog version, which I can't currently change, is rsyslog-3.22.1-7.el5
... this extremely old version of rsyslog supports that syntax. It's so
old I don't remember ;)
Jacob
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
