rsyslog templates

martijndutch · 08-29-2018, 01:36 PM

Hello,

I'm using rsyslog to consolidate and forward evens gathered from ubiquity access points. As these events are coming in from a remote site, they all appear to originate from the external IP of that site (blabla.wanadoo.fr). This information is completely irrelevant for me. Luckily, in the message itself, is the relevant part being the MAC of the device. I want to do the following:

Replace the host value with the mac address
Remove everything between (" ... ")

Code:

Aug 29 20:27:50 lputeaux-657-1-11-111.w217-128.abo.wanadoo.fr ("U7MP,788a20b00b71,v3.9.49.9260") kernel: [89063.790000] ieee80211_ioctl_set_ratelimit: node with aid 3 and mac bc:6c:21:94:b2:47 has been t

How should I configure the rsyslog template?

btw, log processing tools like LogRhythm and Papertrail already start interpreting the line and showing it as:

Code:

Aug 29 20:32:21 lputeaux-657-1-11-111.w217-128.abo.wanadoo.fr ("U7MP: ,788a2023a0e4,v3.9.42.9152 libubnt[2081]: wevent.ubnt_handle_custom_alert_sta_assoc():

thereby removing the ")

Thank you for your help!

TB0ne · 08-30-2018, 07:59 AM

Quote:

Originally Posted by martijndutch

Hello,
I'm using rsyslog to consolidate and forward evens gathered from ubiquity access points. As these events are coming in from a remote site, they all appear to originate from the external IP of that site (blabla.wanadoo.fr). This information is completely irrelevant for me. Luckily, in the message itself, is the relevant part being the MAC of the device. I want to do the following:

Replace the host value with the mac address
Remove everything between (" ... ")

Code:

Aug 29 20:27:50 lputeaux-657-1-11-111.w217-128.abo.wanadoo.fr ("U7MP,788a20b00b71,v3.9.49.9260") kernel: [89063.790000] ieee80211_ioctl_set_ratelimit: node with aid 3 and mac bc:6c:21:94:b2:47 has been t

How should I configure the rsyslog template?
btw, log processing tools like LogRhythm and Papertrail already start interpreting the line and showing it as:

Code:

Aug 29 20:32:21 lputeaux-657-1-11-111.w217-128.abo.wanadoo.fr ("U7MP: ,788a2023a0e4,v3.9.42.9152 libubnt[2081]: wevent.ubnt_handle_custom_alert_sta_assoc():

thereby removing the ") Thank you for your help!

Look at property based filters, specifically the compare operations. There isn't anything that looks at MAC addresses (that I can see, at least), but it CAN act on strings. So if you know the MAC's in question, you could search/replace/filter things based on that, treating it as a string.

https://www.rsyslog.com/doc/v8-stabl...n/filters.html