LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   rsyslog filtering syslog messages (https://www.linuxquestions.org/questions/linux-newbie-8/rsyslog-filtering-syslog-messages-4175435492/)

sanjose 11-03-2012 03:39 PM
rsyslog filtering syslog messages
 
Hello there,

I have problem with rsyslog, for filtering syslog messages with regex and then write them on mysql database.
rsyslog.conf file format is following:
:msg, regex, "ASA-0" :ommysql:127.0.0.1,Syslog,rsyslog,password
So i am trying to write all syslog messages containing ASA-0 to mysql database, but unfortunately it isn’t working, all messages are written in database. Rsyslog version is 4.6.4.

unSpawn 11-04-2012 07:39 AM
Shouldn't you be using something like :hostname,contains,"ASA-0":ommysql:database-address,database-name,database-userid,database-password?

sanjose 11-06-2012 02:28 AM
Hello unSpawn,


I have already trued your mentioned configuration but it isn't working.

I have observed very strange operation of rsyslog, even when i have removed all statements of:
*.* :ommysql:database-address,database-name,database-userid,database-password
log messages are always written to database. If I unload module only the it stops writing syslog to database.

unSpawn 11-06-2012 04:01 AM
You probably need to drop ASA-0 after you log to the database, something like
Code:
:hostname,contains,"ASA-0" ~
and apply other rules afterwards, or else filter something like
Code:
if $hostname contains 'ASA-0' then :ommysql:database-address,database-name,database-userid,database-password
if $hostname ! contains 'ASA-0' then /var/log/syslog
Also please note posting your complete rsyslog.conf may provide more insight but saying "it isn't working" on its own isn't the best way to start troubleshooting problems.

sanjose 11-06-2012 04:35 AM
Hire is configuration file. Hire I wont to discard any logs that contains ASA-7, and anything other to write into database.

Quote:
# /etc/rsyslog.conf Configuration file for rsyslog.
#
# For more information see
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

$ModLoad ommysql


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############


:msg, regex, "ASA-7" ~

*.* :ommysql:127.0.0.1,Syslog,rsyslog,password

#
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log

#
# Logging for the mail system. Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

#
# Logging for INN news system.
#
news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

#
# Some "catch-all" log files.
#
*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug
*.=info;*.=notice;*.=warn;\
auth,authpriv.none;\
cron,daemon.none;\
mail,news.none -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#


#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;\
# news.=crit;news.=err;news.=notice;\
# *.=debug;*.=info;\
# *.=notice;*.=warn /dev/tty8

# The named pipe /dev/xconsole is for the `xconsole' utility. To use it,
# you must invoke `xconsole' with the `-file' option:
#
# $ xconsole -file /dev/xconsole [...]
#
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
# busy site..
#
daemon.*;mail.*;\
news.err;\
*.=debug;*.=info;\
*.=notice;*.=warn |/dev/xconsole
Hire is example of received syslog message from cisco ASA:

Quote:
%ASA-7-302014: Teardown TCP connection 54553486 for Outside:192.168.166.4/8080 to inside:HOST/1850 duration 0:00:13 bytes 3320 TCP FINs

unSpawn 11-06-2012 06:03 AM
You posted a rsyslog configuration file which:
- doesn't show the rule you posted in your OP,
- doesn't show any trace of what I wrote about in my replies,
- discards any "ASA-7" message before it hits the database filter and
- logs any facility / priority pair (*.*) to database.


Here's what you should do / show:
- check your ASA "logging" for its "facility" setting: it may default to "20", the equivalent of the "local4" facility, so if nothing else uses that you could use it as filter in Rsyslog.
- then apply any ASA filter,
- then drop ASA items after the filter rule,
- then proceed processing other logs.

Then test and post back the result (as in 'grep -v ^# /etc/rsyslog.conf|grep .;').

sanjose 11-06-2012 11:00 AM
Hello unSpawn,

Can you please explain or show documentation which describes order of how rsyslog works with property based filters.
For this rule configuration:

:msg, regex, "ASA-7" ~
*.* mmysql:127.0.0.1,Syslog,rsyslog,password

I was hoping that at first time rsyslog will discards all debugging syslog messages, and all others are written in database ?
How does it process with property based filters, does it process subsequently?


Quote:
Originally Posted by unSpawn (Post 4823297)
You posted a rsyslog configuration file which:
- doesn't show the rule you posted in your OP,
- doesn't show any trace of what I wrote about in my replies,
- discards any "ASA-7" message before it hits the database filter and
- logs any facility / priority pair (*.*) to database.


Here's what you should do / show:
- check your ASA "logging" for its "facility" setting: it may default to "20", the equivalent of the "local4" facility, so if nothing else uses that you could use it as filter in Rsyslog.
- then apply any ASA filter,
- then drop ASA items after the filter rule,
- then proceed processing other logs.

Then test and post back the result (as in 'grep -v ^# /etc/rsyslog.conf|grep .;').

unSpawn 11-06-2012 11:17 AM
Basics: http://www.rsyslog.com/doc/rsyslog_conf.html
Writing and discarding: http://www.rsyslog.com/writing-speci...scarding-them/
Examples: http://wiki.rsyslog.com/index.php/Configuration_Samples
Filtering: http://www.rsyslog.com/doc/rsyslog_conf_filter.html (property-based filters halfway down the page)

sanjose 11-06-2012 11:35 AM
After reading before mentioned documents, I could't understand why this filter rules don't work ?

:msg, regex, "ASA-7" ~
*.* mmysql:127.0.0.1,Syslog,rsyslog,password

I expect that this two rules won't write into database logs that contains ASA-7 string in message body. But they don't work, messages that contain ASA-7 still are written into database. Can you please explain why it don't work ?

Quote:
Originally Posted by unSpawn (Post 4823512)

unSpawn 11-06-2012 03:33 PM
Your initial question was:
Quote:
Originally Posted by sanjose (Post 4821571)
i am trying to write all syslog messages containing ASA-0 to mysql database
I suggested you use a filter like:
Code:
:hostname,contains,"ASA-0" :ommysql:127.0.0.1,Syslog,rsyslog,password
and drop it direct after:
Code:
:hostname,contains,"ASA-0" ~
Of course you're free to use your regex form:
Code:
:msg, regex, "ASA-0":ommysql:127.0.0.1,Syslog,rsyslog,password
:msg, regex, "ASA-0" ~
*Before you do anything else I strongly suggest you practice with standard syslog first to get a grasp of syslog basic concepts.

sanjose 11-07-2012 01:04 PM
Hello,

After implementing following configuration.

Code:
:msg, regex, "ASA-0":ommysql:127.0.0.1,Syslog,rsyslog,password
:msg, regex, "ASA-0" ~
Everything is still written into database. It seems that regex filtering isn't working. Is there any way to make it work ?

Quote:
Originally Posted by unSpawn (Post 4823667)
Your initial question was:


I suggested you use a filter like:
Code:
:hostname,contains,"ASA-0" :ommysql:127.0.0.1,Syslog,rsyslog,password
and drop it direct after:
Code:
:hostname,contains,"ASA-0" ~
Of course you're free to use your regex form:
Code:
:msg, regex, "ASA-0":ommysql:127.0.0.1,Syslog,rsyslog,password
:msg, regex, "ASA-0" ~
*Before you do anything else I strongly suggest you practice with standard syslog first to get a grasp of syslog basic concepts.

unSpawn 11-07-2012 01:08 PM
Dunno. Haven't seen your modified rsyslog.conf.

sanjose 11-07-2012 01:14 PM
Hire is modified config file.

Code:
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog  # provides kernel logging support (previously done by rklogd)
$ModLoad imudp
$UDPServerRun 514
$ModLoad ommysql
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$IncludeConfig /etc/rsyslog.d/*.conf
:msg, regex, "ASA-0":ommysql:127.0.0.1,Syslog,rsyslog,password
:msg, regex, "ASA-0" ~
auth,authpriv.*                /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                          -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
mail.info                      -/var/log/mail.info
mail.warn                      -/var/log/mail.warn
mail.err                        /var/log/mail.err
news.crit                      /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                    -/var/log/news/news.notice
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none    -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages
daemon.*;mail.*;\
        news.err;\
        *.=debug;*.=info;\
        *.=notice;*.=warn      |/dev/xconsole

Quote:
Originally Posted by unSpawn (Post 4824372)
Dunno. Haven't seen your modified rsyslog.conf.

unSpawn 11-07-2012 03:08 PM
Some possibilities:
- Instead of ":msg,regex" test ":hostname,contains" or "syslogtag,contains" (after all I'm not sure it even is a hostname tag),
- Instead of ":msg, regex, "ASA-0" ~" try "& ~",
- Check your Cisco machine for its log facility and use that (post #6) instead of a regex,
- See if a convoluted if-something-else filter would do the job,
- Check the vendor for improvements in the ommysql output module and if necessary upgrade. They're at version major 7 BTW.
- Debug the hell out of Reyslogd (http://www.rsyslog.com/doc/debug.html),
or else ask in the rsyslog mailing list.


All times are GMT -5. The time now is 10:18 AM.