Forwarding specific messages after writing them to file

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


Forwarding specific messages after writing them to file

Postby thejester2112 » Mon Apr 10, 2017 2:07 pm

Hello, I am looking for help in forwarding log files after Rsyslog has written them to file. I have searched for the past few days and haven't been able to find anything. Could be that I don't know what to search for since I am new to Rsyslog and not a "programmer' by trade.

I have a centralized rsyslog server that is collecting syslog from a number of devices/systems in the network. I have a need for it to forward a small subset of those logs to another syslog server. For example I want to forward the firewall logs to a server that the firewall team has access to for troubleshooting and looking at logs. Below is a smaller version of my config file. What I am hopping to do is is continue to write messages that match the ASA and then forward those to another server. Is this something that can be done with in the IF statements or is it something that is done at the end?

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 2002

$ModLoad imklog

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$umask 0000
$EscapeControlCharactersOnReceive off

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### TEMPLATES #####
# ASA Dyn Template
template ( name="$asa_dyn" type="string" string="/opt/logs/firewalls/cisco/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")

# Windows Dyn Template
template ( name="$windoz_dyn" type="string" string="/opt/logs/windows/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log")

#### RULESETS ####
ruleset (name="NetLogCollection"){
### Start Cisco ASA logging rules
if $programname contains "ASA-" then { action(type="omfile" FileCreateMode="0756" DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$asa_dyn") stop}

### END Cisco Section

### Start Windows Snare logging rules
else if ($programname == "WinEventLog") then { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$windoz_dyn") stop }
else if $msg contains "MSWinEventLog" then { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$windoz_dyn" template="fixsnareFormat") stop }
else if $syslogtag contains "MSWinEventLog" then { action(type="omfile" FileCreateMode="0755" DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$windoz_dyn" template="fixsnareFormat") stop }
### END Windows Section

#### Bind UDP module for inbound connections on port 514 and log
# Region 1 Collection on UDP 514
input (type="imudp" port="514" ruleset="NetLogCollection")

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
thejester2112
New
 
Posts: 8
Joined: Fri Mar 24, 2017 8:38 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Forwarding specific messages after writing them to file

Postby thejester2112 » Wed Apr 12, 2017 3:55 pm

So I was able to get it to work by doing the following.

### Start Cisco ASA logging rules
if $programname contains "ASA-" then { action(type="omfwd" Target="XX.XX.XX.XX" Port="514" Protocol="udp" Device="eth0") }
if $programname contains "ASA-" then { action(type="omfile" FileCreateMode="0756" DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$asa_dyn") stop}


Is there a cleaner/simpler or recommend way of achieving this another way?

Thanks
thejester2112
New
 
Posts: 8
Joined: Fri Mar 24, 2017 8:38 pm

Re: Forwarding specific messages after writing them to file

Postby rgerhards » Wed Apr 12, 2017 3:58 pm

You can combine the two statements (which is also faster):

Code: Select all
### Start Cisco ASA logging rules
if $programname contains "ASA-" then {
      action(type="omfwd" Target="XX.XX.XX.XX" Port="514" Protocol="udp" Device="eth0")
      action(type="omfile" FileCreateMode="0756" DirCreateMode="0755" FileOwner="XXXX" FileGroup="XXXX" DirGroup="XXXX" DirOwner="XXXX" dynaFile="$asa_dyn")
      stop
}
rgerhards
Site Admin
 
Posts: 3801
Joined: Thu Feb 13, 2003 11:57 am

Re: Forwarding specific messages after writing them to file

Postby thejester2112 » Mon Apr 17, 2017 6:34 pm

Vielen dank, das hat für mich gearbeitet.
thejester2112
New
 
Posts: 8
Joined: Fri Mar 24, 2017 8:38 pm

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 2 guests

cron