Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 6th November 2012, 20:22
sanjose sanjose is offline
Junior Member
 
Join Date: Nov 2012
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default rsyslog filtering syslog messages

Hello There,


I have problem with filtering syslog messages on rsyslog, which is installed on Debian 6. I want to implement regex filtering on syslog messages and then write them in database. Currently database is working successfully. I was unable to operate regex filtering. Hire is my configuration file:

Code:
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

$ModLoad ommysql


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############


:msg, regex, "ASA-7" ~

*.* mmysql:127.0.0.1,Syslog,rsyslog,password

#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#


#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
So the problematic rules are following:

:msg, regex, "ASA-7" ~
*.* mmysql:127.0.0.1,Syslog,rsyslog,password

I want to delete all syslog massages which contains ASA-7 in body, and write all others to database. With current configuration ASA-7 messages ara swill written in database.

Hire is example of syslog message that rsyslog is receiving from cisco ASA:

Code:
%ASA-7-302016: Teardown UDP connection 55604368 for Outside:2.2.2.2 [More Information] {1.1.1.1 [More Information] } /53 to DMZ-2:host1/18178 duration 0:00:00 bytes 110
Reply With Quote
Sponsored Links
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
My Server Is Sending Spam. How Do I Block This? LordJ Server Operation 1 7th July 2011 19:34
Removing postfix mail messages from syslog macka601 Server Operation 2 25th November 2009 03:19
openbravo installer won't start. Heeter Installation/Configuration 10 7th February 2009 04:42
Log file housekeeping question chillifire Server Operation 2 5th January 2009 19:19
Virtual Users and Domains With Postfix...forwarded messages and spam filtering mjd_tech HOWTO-Related Questions 5 31st December 2006 19:57


All times are GMT +2. The time now is 12:28.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.