[rsyslog-notify] Forum Thread: Filtering and forwarding based on message content - (Mode 'post')

[noreply at adiscon.com]

User: someadmin 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25042#p25042

Message: 
----------
Hi,

Sorry if this has been asked and answered before but I can't seem to find
any good examples of what I'm trying to do that I can understand.
Essentially, I need to monitor a number of hosts and centralise
security-type events on a central logstash/elasticsearch server. I'm using
Rsyslog 8.4.2 on CentOS 6.5 and basic functionality is there but I'm
obviously collecting events that I have no interest in so I could do with
some advice on the best way to filter and forward what I want and write the
rest to the local log directory.

I'd like to forward every event with a priority above info, for example,
but also drop messages (or rather write to the local log only) based on
certain keywords. I'm using a template to format JSON that is forwarded to
logstash.

Obviously I have to write a rule, or is that a ruleset and what's the
difference? If I understand what I've read so far correctly, I should be
using RainerScript instead of the old syntax ":msg, contains". My question
is, what would the rule look like? In the example below, what would a
suitable forwarding action be for the else clause that incorporates the
template I want to use and can I use as many of these rules in the config
file as I want? Is there a better way to define a series of events that I
don't want forwarded?

if $programname == 'something' then {
   action(type="omfile" file="/var/log/messages.log")
   if $msg contains 'info' then
     action(type="omfile" file="/var/log/messages.log")
   else
     action(type="omfwd" Target="192.168.2.11" Port="10514" Protocol="udp )
}

Thanks in advance.