I changed it to:
ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or
($rawmsg contains "/bb-plugin/cache") then {
stop
}
}
But the messages still show up.
If the message is malformed, what can I do?
This is one such message I'm still getting:
"message": type=PATH msg=audit(1715691166.683:1235018): item=1
name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID=\"[redacted\" OGID=\"redacted\"
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>
On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <rgerha...@hq.adiscon.com>
wrote:
> I guess the message is malformed and the string you look for is inside
> another field.
>
> I would suggest that you use "$rawmsg" instead of "$msg". If that
> works, a) we are on the right track and b) you actually solved the
> issue, albeit probably not in the best possible way.
>
> HTH
> Rainer
>
> El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > I have rules setup but I want to ignore all entries like this:
> >
> > "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> >
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> > inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> > nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> > OUID=\"[redacted]\" OGID=\"[redacted]\"
> >
> > I want to ignore all entries that have temp-write-test- in the message.
> >
> > I've tried:
> >
> > :msg, contains, "temp-write-test-" stop
> >
> >
> >
> > But I continually get messages with that string in them. I've tried it
> with
> > that as the first rule.
> >
> >
> > And I've tried this as well:
> >
> >
> > ruleset(name="drop") {
> > if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or
> ($msg
> > contains "/bb-plugin/cache") then {
> > stop
> > }
> > }
> >
> > input(type="imfile"
> > File="/var/log/audit/audit.log"
> > Tag="audit_logs"
> > ruleset="drop"
> > reopenOnTruncate="on"
> > )
> >
> >
> > Nothing works.
> >
> >
> > Can anyone shed some light? Please?
> >
> >
> > Thomas J. Raef
> > Founder, WeWatchYourWebsite.com
> > http://wewatchyourwebsite.com
> > tr...@wewatchyourwebsite.com
> > LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
> > Facebook <https://www.facebook.com/WeWatchYourWebsite>
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
