How to set facility to a different value based on condition

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


How to set facility to a different value based on condition

Postby kmohite10 » Tue Aug 29, 2017 5:03 pm

I have written a rsyslog configuration where I monitor an audit file. If my audit file has a message containing "action=login" only then I want to set the facility has authpriv, else I want the facility to be default (local0). How do I do this ? I am not able to set the facility in the condition loop. Below is the code. How to set the facility for the message in the if condition. What I see is currently it gets set to default (local0) only.

Below is what I am trying to do:

Code: Select all
$ModLoad imfile
$InputFileName /opt/test/audit.log
$InputFileTag testaudit
$InputFileStateFile testaudit
$InputFileSeverity info
$InputRunFileMonitor
 
if $msg contains 'action=login' then {
        $InputFileFacility authpriv
        continue
}
 
:programname,contains,"sshd" @<server_vip>:50514
:programname,contains,"sudo" @<server_vip>:50514
:msg,contains,"action=login" @<server_vip>:50514​
kmohite10
New
 
Posts: 1
Joined: Tue Aug 29, 2017 4:51 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: How to set facility to a different value based on condit

Postby dlang » Fri Sep 01, 2017 2:59 am

you cannot change the facility value that is set as rsyslog reads the file (it gets set before anything about the contents of the file are known)

what you can do is to create a custom output format that includes a variable where the PRI value goes and then set that variable to the appropriate value before sending the message out.
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 2 guests

cron