[rsyslog] Property filters with multiple regex requirements

Tim Mori Tim.Mori at sas.com
Fri Jan 6 21:56:41 CET 2017

I'm trying to upgrade an older configuration and the way the previous maintainer set things up may be preventing me from achieving a few goals.

What I want to do is split logs coming in into a few buckets, VMware logs, Windows Logs and then everything else. In the past it was just two, so the original rsyslog rules were set up to process the WinEvent log and then everything else by simply:

## Everything else
        :rawmsg, !regex, "MSWinEventLog" { action(type="omfile" File="/var/rsyslog/work/everything" DirCreateMode="0755" FileCreateMode="0644" ioBufferSize="64k" queue.filename="disk-queue2" queue.size="1000000" queue.spoolDirectory="/var/rsyslog/work" queue.type="LinkedList" ) }

My question is can the "everything else" handle more than one property filter? If so, what would be the correct syntax for something like:

      :rawmsg, !regex, "MSWinEventLog"? OR :fromhost-ip !startwith "10.10."

I suppose the other method is with if, then, else statement, but I could not find out how or whether you can use that within a ruleset.

?I'm hoping to achieve this without opening more ports because I work in a large production environment with a lot of network security layers and getting more ports open to and from a lot of different subnets takes a lot of time to get approved and implemented. But I know using multiple ports would simplify things and if that's the only way to do it, I'll have to head down that path.


