[rsyslog-notify] Forum Thread: Re: Filtering on Multiple Network Device Types Does Not Work - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Thu Dec 31 07:29:28 CET 2015
User: miles
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26260#p26260
Message:
----------
Hi David,
Your last post did the trick. Now that I've thrown the incoming events into
the template "RSYSLOG_DebugFormat", I can now clearly see what fields /
variables each message is broken in to.
So my issue was not really the formatting of the ruleset or the nesting,
but rather knowing exactly what expressions to use, and what field /
variable it belongs to - as you suggested, "SFIMS" certainly was
$programname and not $msg.
I was also able to make it more streamlined. It needs more validation, but
this config formatting appears to be working fine. Also, leaving the
RSYSLOG_DebugFormat template on the "catchall" at the bottom, will allow me
to quick check any new devices logging to the server and easily add them to
the config if they have new message formatting.
Appreciate your assistance.
[code:ocgf9srg]
# Save in new logging directory at: /var/log/splunk
#
ruleset (name="network-logs") {
if $msg contains "ASA-" then
/var/log/splunk/cisco-firewall.log;rsyslog-fmt stop
if $programname contains "SFIMS" then
/var/log/splunk/cisco-sourcefire.log;rsyslog-fmt stop
if $msg contains "CEF" then
/var/log/splunk/checkpoint-firewall.log;rsyslog-fmt stop
# Catch the remaining log events which passed through our filters.
/var/log/splunk/uncategorised.log;RSYSLOG_DebugFormat stop
}
[/code:ocgf9srg]
More information about the rsyslog-notify
mailing list