Rsyslog Filtering
Hi,
I'm trying to configure rsyslog to filter logs being sent by a firewall. I am filtering according to the event id in the logs, which is a string of the form "m=x" where x is the event id number. The firewall has hundreds of such event id's and I only want a small subset of these to appear in my logs. I am using property based filtering with regex. My problem is that I can successfully configure rsyslog to filter one event id only. When I try to configure more that one event id, it allows everything through without filtering. Below is my working config for one event id: local0 :msg, regex, "m=14" -/var/log/firewall.log & stop If I add a second line for another event id eg: local0 :msg, regex, "m=14" -/var/log/firewall.log :msg, regex, "m=15" -/var/log/firewall.log & stop then all event id's are processed, not just 14 and 15 as I would like. Please advise where I am going wrong here. Many thanks. |
In Rsyslog v7 and above, filtering is done like so:
Code:
/etc/rsyslog.d/firewall.conf Code:
if ( |
Thank you, that method has worked for me. I used:
if ($syslogfacility-text == "local0" and $msg contains "m=14") then -/var/log/firewall.log else if ($syslogfacility-text == "local0" and $msg contains "m=35") then -/var/log/firewall.log |
All times are GMT -5. The time now is 06:04 PM. |