[rsyslog-notify] Forum Thread: Action following matched regular expression not performed - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Tue Mar 10 11:58:40 CET 2015 

User: mountfa 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25308#p25308

Message: 
----------
Hi,

Would greatly appreciate if someone could aid with debugging the following
rsyslog configuration.
It is setup to receive traffic from remote hosts on UDP 51408 store all
data locally and then relay traffic matching an ereregex to a remote host
spoofing the address of the original host.
So for example the host 10.10.10.10 would send a syslog to the server in
question on UDP 51408 and the server should then store it locally and if
the ereregex is matched forward the message on to 10.10.10.20 spoofing the
source address 10.10.10.10.

rsyslog config is as follows :-

[quote:60wsazlh]
#########################################################################
# Module Loading                                                        #
#########################################################################

module(load="imuxsock" SysSock.RateLimit.Interval="0")   # support for
local system logging (e.g. via logger command)
module(load="imklog")                                    # kernel logging
support (previously done by rklogd)
module(load="imudp")                                     # UDP syslog
reception
module(load="impstats" interval="600" severity="7")      # support for
rsyslog statistics counters
module(load="omudpspoof")                                # spoof the sender
address via UDP forward

#########################################################################
# Global Directives                                                     #
#########################################################################

$umask 0000

#########################################################################
# Templates                                                             #
#########################################################################

template(name="FileFormat" type="list") {
       property(name="timereported")
       constant(value=" ")
       property(name="hostname")
       constant(value=" ")
       property(name="syslogtag")
       constant(value=" ")
       property(name="msg" spifno1stsp="on" )
       property(name="msg" droplastlf="on" )
       constant(value="\n") }

template (name="DailyRemLog"   type="string"
string="/var/log/%FROMHOST-IP%/syslog.%$YEAR%-%$MONTH%-%$DAY%")
template (name="DailyLocLog"   type="string"
string="/var/log/localhost/syslog.%$YEAR%-%$MONTH%-%$DAY%")
template (name="spooftemplate" type="string" string="%rawmsg%")

#########################################################################
# Define remote ruleset                                                 #
#########################################################################

####################################
# Receive, Store + Spoof

ruleset(name="LSTN_13_1"){
    action(type="omfile" dynaFile="DailyRemLog" template="FileFormat"
fileOwner="root" fileGroup="cisco-asa" dirGroup="cisco-asa"
dirCreateMode="0750" fileCreateMode="0640")
        :msg, ereregex,
"ASA-.-(10[689]|20[124]|30[2-5]|31[46]|320|40[24-7]|50[012]|60[2789]|61[16]|620|70[23]|71[03-6]|72[235]|75[012]|737|11300[459]|11301[16])"
{
        # relay to remote host
        action(type="omudpspoof" template="spooftemplate"
target="10.10.10.20" port="514")
        stop
    }
}

#########################################################################
# Define listeners bound to the relevant ruleset                        #
#########################################################################

#eth0:1  10.10.10.5 port 51408
input(type="imudp" address="10.10.10.5" port="51408" ruleset="LSTN_13_1")

#### End ######
[/quote:60wsazlh]
We are receiving the messages locally OK ... show here :-

[quote:60wsazlh]
Mar 10 10:22:37 10.10.10.10 %ASA-6-302020:  Built outbound ICMP connection
for faddr 1.1.1.1/0 gaddr 1.1.1.2/57570 laddr 1.1.1.2/57570
Mar 10 10:22:37 10.10.10.10 %ASA-6-302021:  Teardown ICMP connection for
faddr 1.1.1.1/0 gaddr 1.1.1.2/57570 laddr 1.1.1.2/57570
[/quote:60wsazlh]
and the string matches the ereregex but we dont recieve logs at 10.10.10.20
and tcpdump shows that no logs are forwarded so it seems that the action
statement to forward and spoof the log either does not execute or does not
work and no logs are forwarded on.

Can anyone see anything I have done incorrectly above? 
I have been staring at this for hours now and just cant see anything amiss.

More information about the rsyslog-notify mailing list