On Fri, 25 Nov 2011, Rainer Gerhards wrote:
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com [mailto:rsyslog-
boun...@lists.adiscon.com] On Behalf Of Robert Schetterer
Hi @ll,
i am new to this list
and not very familar with rsyslog so sorry if my question was
asked/answered before
i wanna goal, filtering spamhaus rbl ips from postfix mail log
i allready done
( on suse )
mail.info
-/var/log/mail.info;RSYSLOG_TraditionalFileFormat
if $msg contains 'blocked using zen.spamhaus.org' then
/var/log/spamhaus.log;RSYSLOG_TraditionalFileFormat
this works fine, but as i have a lot of spambots
fail2ban ist to slow with this allready filtered log
so i wann have a second or combinated rsyslog rule which results
only in the ip
a relevant log entry example looks like this
postfix/postscreen[32120]: NOQUEUE: reject: RCPT from
[190.24.212.146]:57855: 550 5.7.1 Service unavailable; client
[190.24.212.146] blocked using zen.spamhaus.org;
from=<some...@somewhere.de>, to=<some...@somwhere.de>, proto=ESMTP,
helo=<MCRISTALCRE>
the plan would be , set the ip output to i.e fifo pipe
and read the output via some daemon script/program to create an
iptables
ip reject rule with timestamp via ipset map, which expires auto after
24
h, this should fast as possible
so anybody with an example for filtering this ?
by the way
someone speculated rsyslog may able to do the whole job
filtering ip and do the ipset action in one step , is this true ?
i am not that far in the docs yet
I have to admit that I do not fully understand your question. But it has been
a long and busy day today ;) Could you try to describe in two or three
sentences what you actually want to achieve?
I think that what is is wanting to dois to create a custom output format
that just contains the IP address (which would be something along the
lines of a regex to match "\[([0-9.]+)\]" and log the output to a fifo for
another script to handle.
that script would have to modify the iptables rule and schedule for the
rule to be removed 24 hours later (I don't believe that iptables supports
an expiration time directly). SEC (simple event correltator) is exactly
the right type of tool for this type of work, just think through what will
happen if the system gets rebooted before the 24 hours is up.
He then asks if rsyslog can do everything, rsyslog could execute a command
and pass it the IP address , but it doesn't have the ability to schedule
things for the future, so it's not the right tool for this job.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
