yes,
*.* @@dest
is the same as
@@dest
or
If "1" == "1" then @@dest
all you need to do is put in whatever filtering you want in the if..then
structure.
David Lang
On Wed, 1 Apr 2020, Daniel Oakes wrote:
Date: Wed, 1 Apr 2020 00:49:48 +0000
From: Daniel Oakes <[email protected]>
To: David Lang <[email protected]>,
Daniel Oakes via rsyslog <[email protected]>
Subject: Re: [rsyslog] Rsyslog forwarding filtering
So instead of the global forwarding, just use this instead of the *.* @@dest?
From: David Lang <[email protected]>
Date: Wednesday, 1 April 2020 at 1:43 PM
To: Daniel Oakes via rsyslog <[email protected]>
Cc: Daniel Oakes <[email protected]>
Subject: Re: [rsyslog] Rsyslog forwarding filtering
if ! $msg contains "string" then @destination
if this isn't what you are looking for, please give a more complete example
David Lang
On Wed, 1 Apr 2020, Daniel Oakes via rsyslog wrote:
Hi there,
Just a simple request, but have been kinda beating myself up a little bit
trying to find a solution.
Scenario: I’ve got three rsyslog servers collecting logs, writing them locally,
and then also forwarding them through to our SIEM instance. I have a heap of
messages that are for a particular monitoring user / process, that I’d like to
filter out so they don’t get forwarded to the SIEM.
i.e. msg contains ‘string’ then don’t forward. I couldn’t find anything that
quite matched what I was looking for. Is it possible to filter conditionally
like this on a forward?
Thanks in advance!!
Regards,
Daniel
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
