LinuxQuestions.org - rsyslog nested conditions

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - rsyslog nested conditions (https://www.linuxquestions.org/questions/linux-server-73/rsyslog-nested-conditions-4175416138/)

rsyslog nested conditions

How to apply nested conditions in rsyslog as in pseudo-C+rsyslog it should be like this:

Code:

if ($(fromhost-ip) == '192.168.73.1') then

  if (msg, contains, "DROP") then

    /var/log/my_router/dropped;

  else if (msg, contains, "REJECT") then

    /var/log/my_router/rejected;

  else

    /var/log/my_router/general;

Reading http://www.rsyslog.com/doc/omruleset.html I make it look something like:

Code:

$ModLoad omruleset



$RuleSet routerlogs

$RulesetCreateMainQueue on

:msg,contains,"DROP" /var/log/my_router/dropped

& ~

:msg,contains,"REJECT" /var/log/my_router/dropped

& ~



#switch back to default ruleset

$ruleset RSYSLOG_DefaultRuleset



$ActionOmrulesetRulesetName routerlogs

:FROMHOST, isequal, "192.168.73.1" :omruleset:



*.* /var/log/my_router/general

...or not. I didn't test this rule set so YMMV(VM). Best not use Live log sources unless you've got a default rule target (don't discard) and know how to perform basic Rsyslog troubleshooting.

Quote:

Originally Posted by unSpawn (Post 4725395)

...

Yep. Life is hard for today :(