If every input maps to its own unique ruleset then you must do some type of duplication. I would define a separate ruleset with the stop logic (and anything else you’d want to do in all cases) and then call that ruleset from each of the others. I.E. the first action in each ruleset is the call to the new one.
Regards, > On Dec 8, 2022, at 09:15, Steven D via rsyslog <[email protected]> > wrote: > > Rsyslog gurus > > I have a config that accepts connections from remote hosts and steers logs to > files based on port. Pretty straightforward... what i'm looking to do is > "globally" prevent certain ip addresses from ending up in the logs. (Internal > vulnerability scanners I have no control over). > > I've tried a few different ways but not coming across anything that works > globally. Adding something like "if $fromhost-ip '1.2.3.4' then stop" works > just fine on an individual ruleset. > > Is there a way I can do this without having to enter duplicate lines in every > ruleset (I have like 30 rulesets) ? > > Thanks, > Steven > > Config snippet below: "#logname01/02#" is replaced by the relevant product in > the configuration. > > module(load="imudp") > module(load="imtcp" MaxListeners="100" AddtlFrameDelimiter="000" > KeepAlive="on" KeepAlive.Probes="1" KeepAlive.Time="10") > > input(type="imudp" port="24514" ruleset="#logname01#_rule") > input(type="imtcp" port="24514" ruleset="#logname01#_rule") > template(name="#logname01#_logs" type="string" > string="/data/logs/#logname01#/24514/%fromhost-ip%/syslog.log") > ruleset(name="#logname01#_rule") { > action(name="#logname01#_rule" > type="omfile" > FileCreateMode="0744" > DirCreateMode="0755" > FileOwner="SIEM" > FileGroup="SIEM" > DirOwner="SIEM" > DirGroup="SIEM" > DynaFile="#logname01#_logs" > DynaFileCacheSize = "50") > } > > input(type="imudp" port="25514" ruleset="#logname02#_rule") > input(type="imtcp" port="25514" ruleset="#logname02#_rule") > template(name="#logname02#_logs" type="string" > string="/data/logs/#logname02#/25514/%fromhost-ip%/syslog.log") > ruleset(name="#logname02#_rule") { > action(name="#logname02#_rule" > type="omfile" > FileCreateMode="0744" > DirCreateMode="0755" > FileOwner="SIEM" > FileGroup="SIEM" > DirOwner="SIEM" > DirGroup="SIEM" > DynaFile="#logname02#_logs" > DynaFileCacheSize = "50") > } > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
