[rsyslog-notify] Forum Thread: Filter Not Working - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Mon Mar 6 17:53:31 CET 2017 

User: nulls 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=27173#p27173

Message: 
----------
I am using rsyslog version 8.24 and am using filters to set up forwarding
of certain logs to my SIEM. I have run in to an issue where I am attempting
to filter out firewall logs from trusted zones from being forwarded.

Here is an example log that I dont want forwarded to the SIEM but logged in
syslog:
[code:cft391n6]<14>1 2017-03-06T15:22:19.802Z srx_device_1
RT_FLOW - RT_FLOW_SESSION_CREATE
[junos at 2636.1.1.1.2.49
source-address="10.1.1.1" source-port="39585"
destination-address="10.2.2.2" destination-port="53"
service-name="junos-dns-udp" nat-source-address="10.1.1.1"
nat-source-port="39585" nat-destination-address="10.2.2.2"
nat-destination-port="53" src-nat-rule-type="N/A" src-nat-rule-name="N/A"
dst-nat-rule-type="N/A" dst-nat-rule-name="N/A" protocol-id="17"
policy-name="TRUST-TO-TRUST" source-zone-name="TRUST"
destination-zone-name="TRUST" session-id-32="12345678" username="N/A"
roles="N/A" packet-incoming-interface="eth2.2" application="UNKNOWN"
nested-application="UNKNOWN" encrypted="UNKNOWN"] [/code:cft391n6]

To accomplish this I am trying to use this filter:

[code:cft391n6]if $msg contains ['TRUST_TO_TRUST',
                  'TRUST-TO-TRUST',
                  'TRUST-TRUST'
                 ] then {
        action(type="omfile"
                dynafile="DynFile"
                dirCreateMode="0700"
                fileCreateMode="0644"
                TEMPLATE="RSYSLOG_SyslogProtocol23Format"
                dynaFileCacheSize="20000"
        )
} else if $hostname contains 'srx' then {
        action(type="omfile"
                dynafile="DynFile"
                dirCreateMode="0700"
                fileCreateMode="0644"
                TEMPLATE="RSYSLOG_SyslogProtocol23Format"
                dynaFileCacheSize="20000"
        )
        action(type="omudpspoof"
                target="10.10.10.1"
                port="514"
                template="RSYSLOG_SyslogProtocol23Format"
        )
} else {
        action(type="omfile"
                dynafile="DynFile"
                template="RSYSLOG_TraditionalFileFormat"
                dirCreateMode="0700"
                fileCreateMode="0644"
                dynaFileCacheSize="20000"
        ) 
}[/code:cft391n6]

It is also probably worth noting that there are more than just SRX logs
going to this syslog server. My problem is that all of the logs with the
policy of trust to trust are not getting caught by the first filter and are
being forwarded to the SIEM. That would mean the second filter that looks
at $hostname is what is catching and forwarding. Is $msg not the proper
variable to use here and if not what should I be using to look for that
policy field?

More information about the rsyslog-notify mailing list