[rsyslog] Property filters with multiple regex requirements

David Lang david at lang.hm
Fri Jan 6 22:18:44 CET 2017


On Fri, 6 Jan 2017, Tim Mori via rsyslog wrote:

> Date: Fri, 6 Jan 2017 20:56:41 +0000
> From: Tim Mori via rsyslog <rsyslog at lists.adiscon.com>
> To: "rsyslog at lists.adiscon.com" <rsyslog at lists.adiscon.com>
> Cc: Tim Mori <Tim.Mori at sas.com>
> Subject: [rsyslog] Property filters with multiple regex requirements
> 
> I'm trying to upgrade an older configuration and the way the previous maintainer set things up may be preventing me from achieving a few goals.
>
>
> What I want to do is split logs coming in into a few buckets, VMware logs, Windows Logs and then everything else. In the past it was just two, so the original rsyslog rules were set up to process the WinEvent log and then everything else by simply:
>
>
>
> ## Everything else
>        :rawmsg, !regex, "MSWinEventLog" { action(type="omfile" File="/var/rsyslog/work/everything" DirCreateMode="0755" FileCreateMode="0644" ioBufferSize="64k" queue.filename="disk-queue2" queue.size="1000000" queue.spoolDirectory="/var/rsyslog/work" queue.type="LinkedList" ) }
>
> My question is can the "everything else" handle more than one property filter? If so, what would be the correct syntax for something like:
>
>      :rawmsg, !regex, "MSWinEventLog"? OR :fromhost-ip !startwith "10.10."
>
>
> I suppose the other method is with if, then, else statement, but I could not find out how or whether you can use that within a ruleset.

everything works the same way inside a ruleset

you cannot do an or in that syntax, you would have to do

if $programname == "MSWinEventLog" or $fromhost-ip startswith "10.10" then <action>

or (what I think you are really going for)

if $programname == "MSWinEventLog" then {
actions
}
else if $fromhost-ip startswith "10.10" then {
actions
}

David Lang


More information about the rsyslog mailing list