Ok here’s a sanitized blurb from the debug file grepped to the events I’m trying to limit.
2165.510789426:main Q:Reg/w0 : ruleset.c: Filter: check for property 'msg' (value '[2070020.637509] VCSA Syslog-IN IN=ens192 OUT= MAC=00:50:56:a0:03:90:00:0c:29:cb:fc:14:08:00 SRC=1.2.3.4160.115 DST=1.2.3.4160.30 LEN=361 TOS=0x00 PREC=0x00 TTL=64 ID=29068 DF PROTO=UDP SPT=52225 DPT=9999 LEN=341 ') contains 'filter_': FALSE 2165.510961295:main Q:Reg/w0 : rainerscript.c: rainerscript: (string) var 1: '[2070020.637509] VCSA Syslog-IN IN=ens192 OUT= MAC=00:50:56:a0:03:90:00:0c:29:cb:fc:14:08:00 SRC=1.2.3.4160.115 DST=1.2.3.4160.30 LEN=361 TOS=0x00 PREC=0x00 TTL=64 ID=29068 DF PROTO=UDP SPT=52225 DPT=9999 LEN=341 ' 2165.512976011:main Q:Reg/w0 : omfile.c: omfile: write to stream, pData->pStrm 0x7f9e88001890, lenBuf 254, strt data Sep 26 14:56:05 rsyslog-server kernel: [2070020.637509] VCSA Syslog-IN IN=ens192 OUT= MAC=00:50:56:a0:03:90:00:0c:29:cb:fc:14:08 2165.513114940:main Q:Reg/w0 : omfile.c: omfile: write to stream, pData->pStrm 0x7f9e88004040, lenBuf 254, strt data Sep 26 14:56:05 rsyslog-server kernel: [2070020.637509] VCSA Syslog-IN IN=ens192 OUT= MAC=00:50:56:a0:03:90:00:0c:29:cb:fc:14:08 2165.545162782:vcsa9999:Reg/w0: rainerscript.c: 2165.545175184:main Q:Reg/w0 : ruleset.c: processBATCH: next msg 0: [2070020.676314] VCSA Syslog-IN IN=ens192 OUT= MAC=00:50:56:a0:03:90:00:0c:29:cb:fc:14:08:00 SRC=1.2.3.4160.115 DST=1.2.3.4160.3 So it’s def hitting the main queue, and it’s matching correctly. Could not find any mention of imuxsock, or the word socket along with firewalld. Oh wait a minute, FWD natively logs to syslog so maybe I can still use an input for imuxsock but then possibly filter my programname or msg to impose the limits? From: Ben Hart <ben.h...@jamf.com> Date: Monday, September 26, 2022 at 3:51 PM To: David Lang <da...@lang.hm> Cc: David Lang <da...@lang.hm>, Ben Hart via rsyslog <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Action params with exec.OnlyEveryNthTime Understood, So I’ve never actually changed the default template, is there a way to engage that from within a .conf or does it need to be in rsyslog.conf? This server is currently handling logs from about 15 sources and SplunkUF is handing them off to Splunk Cloud so, unless I have to I’ don’t wanna mess with those. From: David Lang <da...@lang.hm> Date: Monday, September 26, 2022 at 3:47 PM To: Ben Hart <ben.h...@jamf.com> Cc: David Lang <da...@lang.hm>, Ben Hart via rsyslog <rsyslog@lists.adiscon.com> Subject: Re: [rsyslog] Action params with exec.OnlyEveryNthTime log the message with the template RSYSLOG_DebugFormat and it will show you most of the parsed properties from the message. (I think you are correct, but it's best to be sure) David Lang On Mon, 26 Sep 2022, Ben Hart wrote: > (Apologies, somehow I sent this before it was complete.) > > David, So yeah you are right.. I didnʼt dig into omfile and assumed from the > Actions page those were available to most. So I have a .conf with 13 rulesets > with matching inputs and Iʼve found that you can ratelimit on the input side > however this source is local (firewalld). > If I am loading modules imudp, imtcp and imuxsock and since I do have a .conf > to send all of the logs from that source to a specific file: > > :msg,contains," Syslog-In " /var/log/firewalld > & stop > > Am I correct in thinking that an input type for this would be imuxsock? And > if so, could I setup a ruleset with matching inputs to then attempt to rate > limit it? > > Ben > > > From: David Lang <da...@lang.hm> > Date: Monday, September 26, 2022 at 2:52 PM > To: Ben Hart via rsyslog <rsyslog@lists.adiscon.com> > Cc: Ben Hart <ben.h...@jamf.com> > Subject: Re: [rsyslog] Action params with exec.OnlyEveryNthTime > I think it's a valid parameter to ommail, but I would be surprised to see it > under omfile (and if it is, check what version you are running vs the version > you are seeing it documented) > > rsyslog is not an event correlation engine, it has some minimal things, but > they > really aren't very good. > > What I do in a situation like yours is to filter the messages and send them to > an external event correlation engine (I tend to use Simple Event Correlator) > and > then have it generate alert or summary messages, feeding them back in to > rsyslog > (watch out that you don't generate a loop in this process) > > David Lang > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
