Re: [rsyslog] Two templates in the same ruleset

Wed, 11 Dec 2019 18:01:22 -0800

templates are not used to parse inbound messages, only to format outbound messages
if you want the action inside the ruleset to use the template AuditMsg then you need to add template="AuditMsg" to the action() call 

does this answer your question?

David Lang

On Wed, 11 Dec 2019, Bradley Hieber wrote:


So I want the two new-format templates to be used on incoming tcp://2514 
packets, which will be auditd messages. I included the legacy versions for 
comparison of what I wanted to do.


---
Bradley Hieber
Owner, Express Cloud Hosting
p. 810-882-1557
Expresscloudhosting.net

On 2019-12-11 14:02, David Lang wrote:

I don't understand your problem. you have 4 templates defined, two
with legacy format (which I still use a lot) and two with the new
format.

you can use any of the four formats with either the old format actions
or the new format actions.

what is it you are trying to do that isn't working?

David Lang

On Wed, 11 Dec 2019, Bradley Hieber via rsyslog wrote:


Date: Wed, 11 Dec 2019 12:30:36 -0500
From: Bradley Hieber via rsyslog <[email protected]>
To: [email protected]
Cc: Bradley Hieber <[email protected]>
Subject: [rsyslog] Two templates in the same ruleset

Hello List,

I am trying to do a dynamic file and string edit within a ruleset and am
coming up empty on examples. I want to replicate the two template edits
in the new format, but I am not seeing any examples of how to do both,
without using the legacy syntax. Config listed below:

template(name="AuditLogSavePath" type="list") {
   constant(value="/data/syslogs/audit/")
   property(name="fromhost-ip")
   constant(value="/")
   property(name="timegenerated" dateFormat="year")
   constant(value="-")
   property(name="timegenerated" dateFormat="month")
   constant(value="-")
   property(name="timegenerated" dateFormat="day")
   constant(value="-")
   property(name="fromhost-ip")
   constant(value=".audit.log")
}

template(name"AuditMsg" type=string "string="%msg:2:$%\n")

ruleset(name="Audit-Rules"){
    action(type="omfile" DynaFile="AuditLogSavePath")
}

# provides TCP syslog reception
input(type="imtcp" port="2514" ruleset="Audit-Rules")
#$InputTCPServerRun      2514
# $AllowedSender  TCP,127.0.0.1,192.168.56.102
$template       HostAudit,"/data/syslog/audit/%HOSTNAME%/audit.log"
$template       auditFormat,"%msg%\n"
local6.*        ?HostAudit;auditFormat





_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to