Rule to collect rogue logs

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


Rule to collect rogue logs

Postby devchix » Wed Jun 14, 2017 5:05 pm

Hello,

I have an rsyslog 7.4.10 receiver, receiving from a few remote hosts and writing to specific filenames. I would like to set up a rule that will catch "rogue" logs sent to me by unknown senders. Right now I have this line:

$Template Rogue, "/var/log/rogue.log"
:hostname, !isequal, "mylocalhost" ?Rogue;StandardFileFormat & stop

I thought that all remote logs with template directives will go to their designated files, and ONLY to their designated files. But the way it is working now is they go to their designated files AND rogue.log, because all remote logs are by definition (!isequal "mylocalhost").

Can I filter only the log files from remote hosts that I have not specifically filtered? That is, if there's a rule match, then do not write to rogue.log.

Thank you.
devchix
New
 
Posts: 3
Joined: Wed Jun 14, 2017 4:36 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Rule to collect rogue logs

Postby dlang » Thu Jun 15, 2017 1:03 am

each rule is completely independent of every other rule, with the one exception being that if you issue a stop action, no further rules are processed.

There is no way of testing if any earlier rule matched.

One thing you can do is to setup a table lookup and have a table that includes all of your known hosts. If the table lookup returns the value for nomatch, you can then treat it as a rogue message.
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: Rule to collect rogue logs

Postby devchix » Thu Jun 15, 2017 2:45 pm

if you issue a stop action, no further rules are processed.


In fact, this is the case. The directives are written in this order:

:fromhost-ip, isequal, "192.168.111.6" ?TemplateA;StandardFileFormat & stop
:fromhost-ip, isequal, "192.168.9.240" ?TemplateB & stop

...
...
:hostname, !isequal, "mylocalhost" ?RogueTemplate & stop


That is the actual last line, so if all the remote senders matched the previous rules, it should have stopped and not log to rogue.log. Which was what I expected, for everything to be caught, and the fall-through goes to rogue.log. This is not what's happening.
devchix
New
 
Posts: 3
Joined: Wed Jun 14, 2017 4:36 pm

Re: Rule to collect rogue logs

Postby dlang » Thu Jun 15, 2017 3:32 pm

you should really have the & stop as separate lines

with current versions there is no benefit from using this syntax as opposed to

if $fromhost-ip == "ip" then {
?TemplateA;format
stop
}

and this newer syntax is much clearer about what's happening
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: Rule to collect rogue logs

Postby devchix » Mon Jul 03, 2017 6:25 pm

Hmm, it's possible that the "~ stop" does not work with 7.4.10 version, I changed my expression to use the condition with bracket, and it worked. Another question: vmware log is sending some logs without any hostname or or source IP, and those are falling through the filter. I want to find what the $fromhost-ip is, so I've made a template

?Template WhoAmI "%TIMESTAMP% %HOSTNAME% %fromhost-ip% %rawmsg:::drop-last-lf%\n"

Then I used that template in my expression:

if $hostname <> "mylocalhost" then {
?WhoAmI
action(type="omfile" file="/var/log/rogue.log")
stop
}

This gets my logs to the right file, and only one file, but it doesn't honor the template.

How do I specify a template in an expression like this?
devchix
New
 
Posts: 3
Joined: Wed Jun 14, 2017 4:36 pm

Re: Rule to collect rogue logs

Postby dlang » Fri Jul 07, 2017 9:18 am

read the documentation on the action() call, you put the template in the parameters of the action() statement

http://www.rsyslog.com/doc/v8-stable/co ... tions.html

if that doesn't help you, read the omfile documentation.
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 1 guest

cron