Hi -
I'd like to route messages based on two factors. One is the source IP
and the other is a particular message content item. The idea is to have
messages from a firewall go to specific log files
I've got this part working (x.y is the second part o/t IP or name ... )
if $fromhost-ip == "192.168.X.Y" then {
Action (type="omfile" file="/var/log/perimfw/firewall.log")
}
stop
if $hostname == "perimfw.X.Y" then {
Action (type="omfile" file="/var/log/perimfw/firewall.log")
}
stop
When you look the log records, there are specific keywords THREAT or
TRAFFIC.
The idea is to either have an IF statement with the source AND the
message content or a IF statement with the source and then a another
nested IF sttmt.
Beginning of a log rec below:
2022-11-06T07:37:48-05:00 perimfw.X.Y 1,2022/11/06
07:37:47,012801088067,TRAFFIC,end,2561,
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
I'd like to route messages based on two factors. One is the source IP
and the other is a particular message content item. The idea is to have
messages from a firewall go to specific log files
I've got this part working (x.y is the second part o/t IP or name ... )
if $fromhost-ip == "192.168.X.Y" then {
Action (type="omfile" file="/var/log/perimfw/firewall.log")
}
stop
if $hostname == "perimfw.X.Y" then {
Action (type="omfile" file="/var/log/perimfw/firewall.log")
}
stop
When you look the log records, there are specific keywords THREAT or
TRAFFIC.
The idea is to either have an IF statement with the source AND the
message content or a IF statement with the source and then a another
nested IF sttmt.
Beginning of a log rec below:
2022-11-06T07:37:48-05:00 perimfw.X.Y 1,2022/11/06
07:37:47,012801088067,TRAFFIC,end,2561,
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.