[rsyslog-notify] Forum Thread: Filtering on Multiple Network Device Types Does Not Work - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Thu Dec 31 03:30:03 CET 2015
User: miles
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26256#p26256
Message:
----------
I'm using a RSyslog (8.14.0) server as a central log storage facility,
which I want the RSyslog server to sort each inbound event to be stored
into a local log, based on the contents of the messages (not from-ip host
based).
For example, all Cisco ASA firewalls contain the text "%ASA-" and should go
into "cisco-firewall.log" file, and CheckPoint firewalls are outputing CEF
format, and have "CEF" in the message, so should be forwarded to
"checkpoint-firewall.log".
I've gone through all the documentation and converted everything to the new
configuration settings, however I can only get the inbound events to filter
into the 1st and last log file. i.e. "%ASA-" is successfully logged into
"cisco-firewall.log", however all other events end up in the "catchall"
uncategorised.log file - even if they match some of the earlier
expressions.
Can someone please check my "ruleset (name="network-logs")" section and see
if there are any errors, is it written incorrectly, or is there a better /
more recommended way to achieve my event filtering using the latest
configuration standards.
[code:3tgmb93e]# File: "splunk.conf"
# Location: "/etc/rsyslog.d/"
# Author: Miles Brennan
# Date: 29 Dec 2015
# Ver: 0.2
#
#
# Prerequisites:
# Splunk is running as Linux user: adduser splunk
# Add "splunk" user to syslog groups: usermod -G sys,adm,syslog
splunk
# Create logging directory for Splunk: mkdir /var/log/splunk
# Set permissions for log directory: chown -R syslog:adm
/var/log/splunk /home/splunk
#
# Set up log file rotation and compression for the new RSyslog
files.
#
# vi /etc/logrotate.d/splunk
#/var/log/splunk/*.log {
# daily
# missingok
# rotate 14
# compress
# notifempty
# nocreate
#}
# Load the RSyslog modules needed for inbound connections
#
module (load="imudp")
module (load="imtcp")
# Define the RSysLog logging format for writing events to syslog.
template (name="rsyslog-fmt" type="string"
string="%TIMESTAMP% %HOSTNAME%
%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
)
# Review all incoming message streams and deliver message to
# appropriate log file, as per RegEx.
#
# Save in new logging directory at: /var/log/splunk
#
ruleset (name="network-logs") {
if ($msg contains "%ASA-") then { action(type="omfile"
file="/var/log/splunk/cisco-firewall.log" template="rsyslog-fmt")
stop }
else if ($msg contains "SFIMS") then { action(type="omfile"
file="/var/log/splunk/cisco-sourcefire.log" template="rsyslog-fmt")
stop }
else if ($msg contains "CEF") then { action(type="omfile"
file="/var/log/splunk/checkpoint-firewall" template="rsyslog-fmt") stop }
else { action(type="omfile"
file="/var/log/splunk/uncategorised.log" template="rsyslog-fmt")
stop }
}
# Splunk Universal Forwarder - Input Configuration (On Deployment
Server)
# File: cisco-firewall.log Sourcetype: Cisco ASA
Firewalls
# File: cisco-sourcefire.log Sourcetype: Cisco
SourceFire
# File: checkpoint.log Sourcetype: Checkpoint
Firewalls
# Bind the UDP module for inbound connections on port 514,
# and apply "remote" ruleset to all incoming messages.
#
input (type="imudp" port="514" ruleset="network-logs")
# Bind the TCP module for inbound connections on port 10514,
# and apply "remote" ruleset to all incoming messages.
#
input (type="imtcp" port="10514" ruleset="network-logs")
[/code:3tgmb93e]
More information about the rsyslog-notify
mailing list