[rsyslog-notify] Forum Thread: Filtering messages using RainerScript - (Mode 'post')
noreply at adiscon.com
noreply at adiscon.com
Thu Feb 25 07:14:46 CET 2016
User: pmatil
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26373#p26373
Message:
----------
Hello!
I'm using Rsyslog v8.4.2 on Debian Stable. I have an Asus router that sends
its firewall and kernel messages through UDP port 514 into the Debian
system. I have the following in my rsyslog.conf:
if $fromhost-ip == '192.168.90.100' and $msg contains ("DROP" and
("SRC=192.168.90.11" or "224.0.0.251")) then {
stop
} else if $fromhost-ip == '192.168.90.100' and $msg contains "DROP"
then {
action(type="omfile" file="/var/log/asus_fw.log")
stop
} else if $fromhost-ip == '192.168.90.100' and ($msg
contains "start_vpnserver1" or $msg contains "VPN Server 1 already
running") then {
stop
} else if ($fromhost-ip == '192.168.90.100') then {
action(type="omfile"
file="/var/log/asus_kern.log")
stop
}
As you can see, I receive messages from 192.168.90.100 (the router) and
then filter them using message content. But the problem is it's not
filtering them as it should. Rsyslog gives no error on startup.
The first filter works partly: messages containing DROP are directed to
asus_fw.log, but so are all the messages containing 192.168.90.11 or
224.0.0.251.
The next filter does not work at all: even though it should stop processing
messages that contain "start_vpnserver1" or "VPN Server 1 already running"
all those messages are still directed to asus_kern.log. It seems that all
the rules that have AND or OR do not get processed. Or I have the syntax
wrong. I have been trying to play around with the brackets but no effect.
I just can't figure out what the error is, can you help?
More information about the rsyslog-notify
mailing list