imfile issue with two different files and ports

General discussions here

Moderator: rgerhards

Google Ads


imfile issue with two different files and ports

Postby DigiAngel » Wed Dec 07, 2016 5:21 pm

Hey all.

So I currently have a working config like so:

10-bro.conf
Code: Select all
:msg, startswith, "#" stop
module(load="imfile" PollingInterval="1")

# File 1
input(type="imfile"
      File="/media/backup/bro/current/conn.log"
      Tag="bro_conn"
      Severity="info"
      Facility="local7")
local7.* @x.x.x.x:6514


the above works fine and sends the file contents as expected. I'm attempting to add a second configuration file, 11-snort.conf as shown below:
Code: Select all
module(load="imfile" PollingInterval="1")

# File 1
input(type="imfile"
      File="/opt/var/log/all.fast"
      Tag="bro_conn"
      Severity="info"
      Facility="local7")
local7.* @x.x.x.x:5514


My issues is that after restarting rsyslog, ALL data from both files goes to the listening 5514 port, which I don't want. I tried adding the second file to the first, and no luck. Any help would be awesome, thank you.
DigiAngel
New
 
Posts: 6
Joined: Wed Dec 07, 2016 5:03 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: imfile issue with two different files and ports

Postby dlang » Wed Dec 07, 2016 5:30 pm

you are using local7 for both inputs, so everything for both inputs match both filter rules and should go both places.

include files are not stand-alone, they are essentially cut-n-pasted into the main rsyslog.conf file at the point of the include statement

then when rsyslog starts out, it basically does two passes through the config, the first pass to find all the inputs and startup-type statements, and then it creates the filter rules with everything else

so you have created the following filters that get evaluated for each log line that's read:

local7.* @x.x.x.x:6514
local7.* @x.x.x.x:5514

so of course the logs from both imfile inputs gets sent to both ports, that's exactly what you told it to do. :-)
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: imfile issue with two different files and ports

Postby DigiAngel » Wed Dec 07, 2016 6:44 pm

Ok cool..that's a good analysis thank you. So, baring setting different Facility levels, how do I change it so one file contents goes to one port, and the other goes to the other port?
DigiAngel
New
 
Posts: 6
Joined: Wed Dec 07, 2016 5:03 pm

Re: imfile issue with two different files and ports

Postby DigiAngel » Wed Dec 07, 2016 9:25 pm

Perhaps a different approach with conditionals? Will something like this work?

Code: Select all
:msg, startswith, "#" stop
module(load="imfile")

input(type="imfile"
      File="/media/backup/bro/current/conn.log"
      Tag="bro_conn")

input(type="imfile"
      File="/opt/var/log/all.fast"
      Tag="snort")

if ($tag equals "snort") then {
  @x.x.x.x:5514
else
  @x.x.x.x:6514
}


Or something along those lines?
DigiAngel
New
 
Posts: 6
Joined: Wed Dec 07, 2016 5:03 pm

Re: imfile issue with two different files and ports

Postby DigiAngel » Wed Dec 07, 2016 10:12 pm

Looks like this might work:

Code: Select all
:msg, startswith, "#" stop
module(load="imfile")

input(type="imfile"
      File="/home/dev/rsyslog/test1.log"
      Tag="bro_conn")

input(type="imfile"
      File="/home/dev/rsyslog/test2.log"
      Tag="snort")

if ($syslogtag == "snort") then {
        action(type="omfwd" Target="x.x.x.x" Port="5514" Protocol="udp")
        } else if ($syslogtag == "bro_conn") then {
        action(type="omfwd" Target="x.x.x.x" Port="6514" Protocol="udp")
}


any thoughts?
DigiAngel
New
 
Posts: 6
Joined: Wed Dec 07, 2016 5:03 pm

Re: imfile issue with two different files and ports

Postby DigiAngel » Thu Dec 08, 2016 5:27 pm

Anyone? Will this work?
DigiAngel
New
 
Posts: 6
Joined: Wed Dec 07, 2016 5:03 pm

Re: imfile issue with two different files and ports

Postby dlang » Thu Dec 08, 2016 9:35 pm

yes, that approach will work
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: imfile issue with two different files and ports

Postby DigiAngel » Thu Dec 08, 2016 10:29 pm

Thanks...I'll give it a shot.
DigiAngel
New
 
Posts: 6
Joined: Wed Dec 07, 2016 5:03 pm

Google Ads



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests