[rsyslog] "Global" fromhost-ip blocklist?

Thu, 08 Dec 2022 07:15:53 -0800 

Rsyslog gurus

I have a config that accepts connections from remote hosts and steers logs to 
files based on port. Pretty straightforward... what i'm looking to do is 
"globally" prevent certain ip addresses from ending up in the logs. (Internal 
vulnerability scanners I have no control over).

I've tried a few different ways but not coming across anything that works 
globally. Adding something like "if $fromhost-ip '1.2.3.4' then stop" works 
just fine on an individual ruleset.

Is there a way I can do this without having to enter duplicate lines in every 
ruleset (I have like 30 rulesets) ?

Thanks,
Steven

Config snippet below: "#logname01/02#" is replaced by the relevant product in 
the configuration.

module(load="imudp")
module(load="imtcp" MaxListeners="100" AddtlFrameDelimiter="000" KeepAlive="on" 
KeepAlive.Probes="1" KeepAlive.Time="10")

input(type="imudp" port="24514" ruleset="#logname01#_rule")
input(type="imtcp" port="24514" ruleset="#logname01#_rule")
template(name="#logname01#_logs" type="string" 
string="/data/logs/#logname01#/24514/%fromhost-ip%/syslog.log")
ruleset(name="#logname01#_rule") {
action(name="#logname01#_rule"
      type="omfile"
      FileCreateMode="0744"
      DirCreateMode="0755"
      FileOwner="SIEM"
      FileGroup="SIEM"
      DirOwner="SIEM"
      DirGroup="SIEM"
      DynaFile="#logname01#_logs"
      DynaFileCacheSize = "50")
}

input(type="imudp" port="25514" ruleset="#logname02#_rule")
input(type="imtcp" port="25514" ruleset="#logname02#_rule")
template(name="#logname02#_logs" type="string" 
string="/data/logs/#logname02#/25514/%fromhost-ip%/syslog.log")
ruleset(name="#logname02#_rule") {
action(name="#logname02#_rule"
      type="omfile"
      FileCreateMode="0744"
      DirCreateMode="0755"
      FileOwner="SIEM"
      FileGroup="SIEM"
      DirOwner="SIEM"
      DirGroup="SIEM"
      DynaFile="#logname02#_logs"
      DynaFileCacheSize = "50")
}

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to