LinuxQuestions.org - Rsyslog Filtering

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Rsyslog Filtering (https://www.linuxquestions.org/questions/linux-server-73/rsyslog-filtering-4175607850/)

Rsyslog Filtering

Hi,

I'm trying to configure rsyslog to filter logs being sent by a firewall. I am filtering according to the event id in the logs, which is a string of the form "m=x" where x is the event id number. The firewall has hundreds of such event id's and I only want a small subset of these to appear in my logs.

I am using property based filtering with regex. My problem is that I can successfully configure rsyslog to filter one event id only. When I try to configure more that one event id, it allows everything through without filtering. Below is my working config for one event id:

local0
:msg, regex, "m=14" -/var/log/firewall.log
& stop

If I add a second line for another event id eg:

local0
:msg, regex, "m=14" -/var/log/firewall.log
:msg, regex, "m=15" -/var/log/firewall.log
& stop

then all event id's are processed, not just 14 and 15 as I would like.

Please advise where I am going wrong here.

Many thanks.

In Rsyslog v7 and above, filtering is done like so:

Code:

/etc/rsyslog.d/firewall.conf

Code:

if (

    $msg startswith "abc" or 

    $msg startswith "def" or

    ($programname == "kernel" and $msg contains "xyz") or

    ...

  )

then 

    # ignore, do not forward or log

    continue

else

    -/var/log/firewall.log

Thank you, that method has worked for me. I used:

if ($syslogfacility-text == "local0" and $msg contains "m=14") then -/var/log/firewall.log
else
if ($syslogfacility-text == "local0" and $msg contains "m=35") then -/var/log/firewall.log