Information: Forum is in read-only mode
For details and other support options see https://www.adiscon.com/news/support-forum-set-to-read-only-mode/

rsyslog filter configuration help

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: alorbach

Google Ads


rsyslog filter configuration help

Postby r0kk0 » Thu Jan 18, 2018 1:54 pm

Hi!
We have a centralized rsyslogd server and we need to replace the email addresses from the firewall logs before writing to disk, this is our current configuration:

Code: Select all
template(name="FirewallDyna" type="string" string="/var/log/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log")

if ($msg contains "Astral_1") then {
        if re_match($msg,'([a-z0-9_\\-\\.]+@([a-z0-9_-]+\\.)+[a-z]+)')
        then
        {
            set $!ext = re_extract($msg,'([a-z0-9_\\-\\.]+@([a-z0-9_-]+\\.)+[a-z]+)',0,1,"");
            set $!msg= replace($msg, $!ext, "xxxxxxxxxxxxxxxx");
        }
        else {
            set $!msg = $msg;
        }
        action(type="omfile" DynaFile="FirewallDyna")
}
else {
action(type="omfile" DynaFile="FirewallDyna")
}


The logs are correctly written to the disk but the regexp match and substitution do not work, is there something wrong in the configuration?

the following is a sample from the firewall logs:

Code: Select all
Jan 18 13:25:05 Astral_1 80DF0389D99E6 Astral_Firecluster_M300 (2018-01-18T12:25:05) http-proxy[2663]: msg_id="1AFF-0024" Allow 3-LAN 0-WAN tcp  sent_bytes="1716" rcvd_bytes="453" elapsed_time="0.099506 sec(s)" app_id="8" app_cat_id="13" app_name="Google Chrome" app_cat_name="Web services" reputation="13" src_user="replaced@forprivacy.it"  (HTTP-proxy-Social Pranzo-00)


I'm quite new to rsyslog configurations any help is really appreciated!

Thanks in advance
r0kk0
New
 
Posts: 1
Joined: Thu Jan 18, 2018 1:45 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Configuration

Who is online

Users browsing this forum: No registered users and 0 guests

cron