Mailing List Archive

Routing messages based on Source and message content
Hi -

I'd like to route messages based on two factors. One is the source IP
and the other is a particular message content item. The idea is to have
messages from a firewall go to specific log files

I've got this part working (x.y is the second part o/t IP or name ... )

if $fromhost-ip == "192.168.X.Y" then {
   Action (type="omfile" file="/var/log/perimfw/firewall.log")
}
stop
if $hostname == "perimfw.X.Y" then {
   Action (type="omfile" file="/var/log/perimfw/firewall.log")
}
stop

When you look the log records, there are specific keywords THREAT or
TRAFFIC.

The idea is to either have an IF statement with the source AND the
message content or a IF statement with the source and then a another
nested IF sttmt.

Beginning of a log rec below:

2022-11-06T07:37:48-05:00 perimfw.X.Y 1,2022/11/06
07:37:47,012801088067,TRAFFIC,end,2561,

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Routing messages based on Source and message content [ In reply to ]
The conditional instruction does accept nested conditions.

So you can simply do

if ($fromhost-ip == "192.168.x.y") and ($hostname == "whatever") then {

    if (your nested if condition) then {

        whatever

    } else {

    another_whatever

    }

}

Or do you want something else?

On 6.11.2022 14:08, Don Subscriptions via rsyslog wrote:
> Hi -
>
> I'd like to route messages based on two factors. One is the source IP
> and the other is a particular message content item. The idea is to
> have messages from a firewall go to specific log files
>
> I've got this part working (x.y is the second part o/t IP or name ... )
>
> if $fromhost-ip == "192.168.X.Y" then {
>    Action (type="omfile" file="/var/log/perimfw/firewall.log")
> }
> stop
> if $hostname == "perimfw.X.Y" then {
>    Action (type="omfile" file="/var/log/perimfw/firewall.log")
> }
> stop
>
> When you look the log records, there are specific keywords THREAT or
> TRAFFIC.
>
> The idea is to either have an IF statement with the source AND the
> message content or a IF statement with the source and then a another
> nested IF sttmt.
>
> Beginning of a log rec below:
>
> 2022-11-06T07:37:48-05:00 perimfw.X.Y 1,2022/11/06
> 07:37:47,012801088067,TRAFFIC,end,2561,
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.