[rsyslog] omrelp and filtering

Rainer Gerhards rgerhards at hq.adiscon.com
Wed May 3 12:31:23 CEST 2017


well, it is

filter action

for any part, you can pick whatever you like.

so

*.* action()

works. Filter syntax is here:

http://www.rsyslog.com/doc/v8-stable/configuration/filters.html

HTH
Rainer

2017-05-03 12:28 GMT+02:00 Stuart Longland <stuartl at vrt.com.au>:
> Hi all,
>
> This is a bit of a dumb question… but I have hunted high and low, and
> haven't found an answer.  We at the moment use RELP/TLS to transfer logs
> around, and this works well, but we have a need to filter what gets
> passed upstream.
>
> We use the new filter syntax:
>> module(load="omrelp")
>> action(
>>     type="omrelp"
>>     target="10.20.30.1"
>>     port="32514" tls="on"
>>     tls.authMode="fingerprint"
>>     tls.caCert="/etc/rsyslog/ca.pem"
>>     tls.myCert="/etc/rsyslog/client.pem"
>>     tls.myPrivKey="/etc/rsyslog/client.key"
>>     tls.permittedpeer=[
>>         "SHA1:01:23:45:67:89:AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67"
>> ])
>>
>> # Use fully qualified name in forwarded logs
>> $PreserveFQDN on
>
> Now, the filter examples use a totally different syntax which I
> understand comes from traditional syslog:
>
>> *.*  :omrelp:<server>:<port>;<template>
> (from the omrelp page)
>
> I'm guessing the modern equivalent is not:
>
> *.* action(…)
>
> or I'd see examples along those lines.  How does one apply one of the
> filter conditions to an action like the one above?
>
> Regards,
> --
> ##   -,-''''-. ###### Stuart Longland, Programmer/Network Admin
> ##.  :  ##   :   ##   38b Douglas Street
>  ## #  ## -'`   .#'   Milton, QLD, 4064
>  '#'  *'   '-.  *'    http://www.vrt.com.au
>      S Y S T E M S    T: +61 7 3535 9619   F: +61 7 3535 9699
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.


More information about the rsyslog mailing list