Rsyslog Filtering

harrytk · 06-13-2017, 08:59 AM

Hi,

I'm trying to configure rsyslog to filter logs being sent by a firewall. I am filtering according to the event id in the logs, which is a string of the form "m=x" where x is the event id number. The firewall has hundreds of such event id's and I only want a small subset of these to appear in my logs.

I am using property based filtering with regex. My problem is that I can successfully configure rsyslog to filter one event id only. When I try to configure more that one event id, it allows everything through without filtering. Below is my working config for one event id:

local0
:msg, regex, "m=14" -/var/log/firewall.log
& stop

If I add a second line for another event id eg:

local0
:msg, regex, "m=14" -/var/log/firewall.log
:msg, regex, "m=15" -/var/log/firewall.log
& stop

then all event id's are processed, not just 14 and 15 as I would like.

Please advise where I am going wrong here.

Many thanks.

Linuxfabrik · 06-13-2017, 02:39 PM

In Rsyslog v7 and above, filtering is done like so:

Code:

/etc/rsyslog.d/firewall.conf

Code:

if (
    $msg startswith "abc" or 
    $msg startswith "def" or
    ($programname == "kernel" and $msg contains "xyz") or
    ...
   )
then 
    # ignore, do not forward or log
    continue
else
    -/var/log/firewall.log

harrytk · 06-19-2017, 03:56 AM

Thank you, that method has worked for me. I used:

if ($syslogfacility-text == "local0" and $msg contains "m=14") then -/var/log/firewall.log
else
if ($syslogfacility-text == "local0" and $msg contains "m=35") then -/var/log/firewall.log