Mailing List Archive

rsyslog filter
Hi Rsyslog users,
I have been trying to filter iptables rules from kernel rules, its been quite bizzare that same config works for one of the box and not in other.


#### #### /etc/rsyslog.conf [CentOS release 6.4 (Final)]####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog # provides kernel logging support (previously done by rklogd)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf

#iptables Log:msg, startswith,"ipt: " /var/log/iptables.log& ~
kern.* /var/log/kernel






###### As that didnt work i also tried to test below given format, with no luck.
#iptables Log:msg, startswith,"ipt: " -/var/log/iptables.log& ~

has anyone faced simillar issue with rsyslog?
RegardsAshish
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog filter [ In reply to ]
could you please show a sample iptables log message from each system?

David Lang

On Thu, 10 Oct 2013, Ashish Nepal wrote:

> Date: Thu, 10 Oct 2013 16:19:26 +0000
> From: Ashish Nepal <aashisn@hotmail.com>
> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: [rsyslog] rsyslog filter
>
> Hi Rsyslog users,
> I have been trying to filter iptables rules from kernel rules, its been quite bizzare that same config works for one of the box and not in other.
>
>
> #### #### /etc/rsyslog.conf [CentOS release 6.4 (Final)]####
> $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog # provides kernel logging support (previously done by rklogd)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf
>
> #iptables Log:msg, startswith,"ipt: " /var/log/iptables.log& ~
> kern.* /var/log/kernel
>
>
>
>
>
>
> ###### As that didnt work i also tried to test below given format, with no luck.
> #iptables Log:msg, startswith,"ipt: " -/var/log/iptables.log& ~
>
> has anyone faced simillar issue with rsyslog?
> RegardsAshish
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog filter [ In reply to ]
Hi daivd,
please see log below
box1Oct 10 14:14:55 box1 kernel: ipt: SATURIN=bond0 OUT= MAC=90:b1:1c:94:9d:49:00:1b:0d:e5:fd:09:08:90 SRC=12.12.12.12 DST=22.22.22.22 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=16965 DF PROTO=TCP SPT=51623 DPT=9917 WINDOW=14600 RES=0x00 SYN URGP=0
box2Oct 10 09:51:21 box2 kernel: ipt: SATURIN=bond0 OUT= MAC=90:b1:9c:31:99:36:00:19:0d:e5:fd:90:08:09 SRC=12.12.12.12 DST=23.23.23.23 LEN=64 TOS=0x00 PREC=0x00 TTL=58 ID=52679 DF PROTO=TCP SPT=58013 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

There is no diff as its two load same spec/OS/application etc. rsyslog version, aswell as iptables version.
RegardsAshish







> Date: Thu, 10 Oct 2013 09:27:17 -0700
> From: david@lang.hm
> To: rsyslog@lists.adiscon.com
> Subject: Re: [rsyslog] rsyslog filter
>
> could you please show a sample iptables log message from each system?
>
> David Lang
>
> On Thu, 10 Oct 2013, Ashish Nepal wrote:
>
> > Date: Thu, 10 Oct 2013 16:19:26 +0000
> > From: Ashish Nepal <aashisn@hotmail.com>
> > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Subject: [rsyslog] rsyslog filter
> >
> > Hi Rsyslog users,
> > I have been trying to filter iptables rules from kernel rules, its been quite bizzare that same config works for one of the box and not in other.
> >
> >
> > #### #### /etc/rsyslog.conf [CentOS release 6.4 (Final)]####
> > $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog # provides kernel logging support (previously done by rklogd)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf
> >
> > #iptables Log:msg, startswith,"ipt: " /var/log/iptables.log& ~
> > kern.* /var/log/kernel
> >
> >
> >
> >
> >
> >
> > ###### As that didnt work i also tried to test below given format, with no luck.
> > #iptables Log:msg, startswith,"ipt: " -/var/log/iptables.log& ~
> >
> > has anyone faced simillar issue with rsyslog?
> > RegardsAshish
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog filter [ In reply to ]
but i must admit that box1 breaks log too,
sometimes it writes completely missplaced log,

> From: aashisn@hotmail.com
> To: rsyslog@lists.adiscon.com
> Date: Thu, 10 Oct 2013 16:31:28 +0000
> Subject: Re: [rsyslog] rsyslog filter
>
> Hi daivd,
> please see log below
> box1Oct 10 14:14:55 box1 kernel: ipt: SATURIN=bond0 OUT= MAC=90:b1:1c:94:9d:49:00:1b:0d:e5:fd:09:08:90 SRC=12.12.12.12 DST=22.22.22.22 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=16965 DF PROTO=TCP SPT=51623 DPT=9917 WINDOW=14600 RES=0x00 SYN URGP=0
> box2Oct 10 09:51:21 box2 kernel: ipt: SATURIN=bond0 OUT= MAC=90:b1:9c:31:99:36:00:19:0d:e5:fd:90:08:09 SRC=12.12.12.12 DST=23.23.23.23 LEN=64 TOS=0x00 PREC=0x00 TTL=58 ID=52679 DF PROTO=TCP SPT=58013 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
>
> There is no diff as its two load same spec/OS/application etc. rsyslog version, aswell as iptables version.
> RegardsAshish
>
>
>
>
>
>
>
> > Date: Thu, 10 Oct 2013 09:27:17 -0700
> > From: david@lang.hm
> > To: rsyslog@lists.adiscon.com
> > Subject: Re: [rsyslog] rsyslog filter
> >
> > could you please show a sample iptables log message from each system?
> >
> > David Lang
> >
> > On Thu, 10 Oct 2013, Ashish Nepal wrote:
> >
> > > Date: Thu, 10 Oct 2013 16:19:26 +0000
> > > From: Ashish Nepal <aashisn@hotmail.com>
> > > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > Subject: [rsyslog] rsyslog filter
> > >
> > > Hi Rsyslog users,
> > > I have been trying to filter iptables rules from kernel rules, its been quite bizzare that same config works for one of the box and not in other.
> > >
> > >
> > > #### #### /etc/rsyslog.conf [CentOS release 6.4 (Final)]####
> > > $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog # provides kernel logging support (previously done by rklogd)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf
> > >
> > > #iptables Log:msg, startswith,"ipt: " /var/log/iptables.log& ~
> > > kern.* /var/log/kernel
> > >
> > >
> > >
> > >
> > >
> > >
> > > ###### As that didnt work i also tried to test below given format, with no luck.
> > > #iptables Log:msg, startswith,"ipt: " -/var/log/iptables.log& ~
> > >
> > > has anyone faced simillar issue with rsyslog?
> > > RegardsAshish
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog filter [ In reply to ]
but i must admit that box1 breaks log too,
sometimes it writes completely missplaced log,

> From: aashisn@hotmail.com
> To: rsyslog@lists.adiscon.com
> Date: Thu, 10 Oct 2013 16:31:28 +0000
> Subject: Re: [rsyslog] rsyslog filter
>
> Hi daivd,
> please see log below
> box1Oct 10 14:14:55 box1 kernel: ipt: SATURIN=bond0 OUT= MAC=90:b1:1c:94:9d:49:00:1b:0d:e5:fd:09:08:90 SRC=12.12.12.12 DST=22.22.22.22 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=16965 DF PROTO=TCP SPT=51623 DPT=9917 WINDOW=14600 RES=0x00 SYN URGP=0
> box2Oct 10 09:51:21 box2 kernel: ipt: SATURIN=bond0 OUT= MAC=90:b1:9c:31:99:36:00:19:0d:e5:fd:90:08:09 SRC=12.12.12.12 DST=23.23.23.23 LEN=64 TOS=0x00 PREC=0x00 TTL=58 ID=52679 DF PROTO=TCP SPT=58013 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
>
> There is no diff as its two load same spec/OS/application etc. rsyslog version, aswell as iptables version.
> RegardsAshish
>
>
>
>
>
>
>
> > Date: Thu, 10 Oct 2013 09:27:17 -0700
> > From: david@lang.hm
> > To: rsyslog@lists.adiscon.com
> > Subject: Re: [rsyslog] rsyslog filter
> >
> > could you please show a sample iptables log message from each system?
> >
> > David Lang
> >
> > On Thu, 10 Oct 2013, Ashish Nepal wrote:
> >
> > > Date: Thu, 10 Oct 2013 16:19:26 +0000
> > > From: Ashish Nepal <aashisn@hotmail.com>
> > > Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > Subject: [rsyslog] rsyslog filter
> > >
> > > Hi Rsyslog users,
> > > I have been trying to filter iptables rules from kernel rules, its been quite bizzare that same config works for one of the box and not in other.
> > >
> > >
> > > #### #### /etc/rsyslog.conf [CentOS release 6.4 (Final)]####
> > > $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog # provides kernel logging support (previously done by rklogd)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf
> > >
> > > #iptables Log:msg, startswith,"ipt: " /var/log/iptables.log& ~
> > > kern.* /var/log/kernel
> > >
> > >
> > >
> > >
> > >
> > >
> > > ###### As that didnt work i also tried to test below given format, with no luck.
> > > #iptables Log:msg, startswith,"ipt: " -/var/log/iptables.log& ~
> > >
> > > has anyone faced simillar issue with rsyslog?
> > > RegardsAshish
> > > _______________________________________________
> > > rsyslog mailing list
> > > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > >
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog filter [ In reply to ]
well, one odd thing, why do you have & ~ in the line the way you do?

if you want to throw the logs away after writing them to iotables.log the config
sould look like:

msg, startswith,"ipt: " /var/log/iptables.log
& ~

also, check for startup errors, I can never remember it this requires single or
double quotes on old versions lke the 5.8 that ships with RHEL 6.4

David Lang

On Thu, 10 Oct 2013, Ashish Nepal wrote:

> Date: Thu, 10 Oct 2013 16:19:26 +0000
> From: Ashish Nepal <aashisn@hotmail.com>
> Reply-To: rsyslog-users <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: [rsyslog] rsyslog filter
>
> Hi Rsyslog users,
> I have been trying to filter iptables rules from kernel rules, its been quite bizzare that same config works for one of the box and not in other.
>
>
> #### #### /etc/rsyslog.conf [CentOS release 6.4 (Final)]####
> $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imklog # provides kernel logging support (previously done by rklogd)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$IncludeConfig /etc/rsyslog.d/*.conf
>
> #iptables Log:msg, startswith,"ipt: " /var/log/iptables.log& ~
> kern.* /var/log/kernel
>
>
>
>
>
>
> ###### As that didnt work i also tried to test below given format, with no luck.
> #iptables Log:msg, startswith,"ipt: " -/var/log/iptables.log& ~
>
> has anyone faced simillar issue with rsyslog?
> RegardsAshish
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: rsyslog filter [ In reply to ]
Hello!

I'd say you should try with mmnormalize module for message parsing to the
fields which are good for you. You will need to write the liblognorm
parsing rule(s) for your message format. Then you can write a template for
the output you'd like to have.

Links:
1. mmnormalize module docs:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/mmnormalize.html
2. liblognorm docs:
https://github.com/rsyslog/liblognorm/blob/master/doc/configuration.rst
3. templates:
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html


On Tue, 2 Mar 2021 at 17:29, Milad Rezaei via rsyslog <
rsyslog@lists.adiscon.com> wrote:

> Hi dears
>
> I want to filter and manipulate received log by rsyslog and save them
> For example in line blewe i don't need some parameter and it should delete
> from saved log:
> Mar 2 12:57:41 test snort[24571]: [122:20:1] (portscan) UDP Distributed
> Portscan [Classification: Attempted Information Leak] [Priority: 2]
> {PROTO:255} 158.225.224.79 -> 88.18.67.20
>
> thank you
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Yury Bushmelev
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.