Back to your phpLogCon instanceI just compiled this and have it running but I am trying to understand the filtering expressions. I am currently running 3.14.2 on a test system getting a copy of syslog data from a firewall.
I am wanting to write the files out depending on what the $msg contains in an if then elsif else or case-like structure. Here is what I have now
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
$template DYNfirewall,"/var/log/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$NOW%-isg.log"
$template DYNfirewall2,"/var/log/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$NOW%-isg-URL-Filter.log"
$template DYNfirewall3,"/var/log/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$NOW%-isg-messages.log"
if $msg contains 'system-notification-00257(traffic):' then ?DYNfirewall;TraditionalFormat
if $msg contains 'system-warning-00556: UF-MGR: URL BLOCKED' then ?DYNfirewall2;TraditionalFormat
if not ($msg contains 'system-notification-00257(traffic):' or $msg contains 'system-warning-00556: UF-MGR: URL BLOCKED' ) then ?DYNfirewall3;TraditionalFormat
The problem is in the last filter, it seems in order to filter out the rest I have to negate them which is more processing overhead.
I looked at filtering like this (with tilde and without) but i could not even get the first match to process correctly.
:msg, contains, "system-notification-00257(traffic):"
local4.* writeto log
:msg, contains, "system-warning-00556: UF-MGR: URL BLOCKED"
local4.* writeto log
So how do I go about matching a line performing the action and if the line does not match check the next pattern until I get the end bucket which matches anything
if ($msg contains 'system-notification-00257(traffic):') then writetotemplate1 elsif
($msg contains 'something else') then write writetotemplate2
else writetotemplate3
thanks
MonitorWare Knowledge Base
Your first source for knowledge
case selections in msg filters
Moderator: rgerhards
2 posts • Page 1 of 1
Professional Services Information
- Custom written rsyslog.conf?
- Maintenance Contract?
- Installation support?
Re: case selections in msg filters
by gkuser on Mon Jun 02, 2008 9:46 pm
Well i found a similar post further down and although it looks like if-then-else is slated for later I can at least clean up the syntax so it is readable and manageable using backticks
if $msg contains 'system-notification-00257(traffic):' then ?DYNfirewall;TraditionalFormat
if $msg contains 'system-warning-00556: UF-MGR: URL BLOCKED' then ?DYNfirewall2;TraditionalFormat
if not ($msg contains 'system-notification-00257(traffic):' or \
$msg contains 'system-warning-00556: UF-MGR: URL BLOCKED' \
) then ?DYNfirewall3;TraditionalFormat
Still, not sure what kind of extra overhead this is going to cause as I start adding more filters
if $msg contains 'system-notification-00257(traffic):' then ?DYNfirewall;TraditionalFormat
if $msg contains 'system-warning-00556: UF-MGR: URL BLOCKED' then ?DYNfirewall2;TraditionalFormat
if not ($msg contains 'system-notification-00257(traffic):' or \
$msg contains 'system-warning-00556: UF-MGR: URL BLOCKED' \
) then ?DYNfirewall3;TraditionalFormat
Still, not sure what kind of extra overhead this is going to cause as I start adding more filters
- gkuser
- New
- Posts: 3
- Joined: Mon Jun 02, 2008 8:29 pm
Google Ads
2 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 0 guests
