You can have a global ruleset that does the fitlering and then dispatch
the logs to different rulesets.
There's a very power feature to help you here : the "call_indirect"
(https://www.rsyslog.com/doc/master/rainerscript/rainerscript_call_indirect.html)
Here's an example that calls a specific ruleset based on the syslogtag
that I'm sure you can adapt to be based on the port instead :
# ruleset 1
ruleset(name="my_tag1") {
action(
type="omfile"
file="/var/log/my_tag1.log"
)
}
# ruleset 2
ruleset(name="my_tag2") {
action(
type="omfile"
file="/var/log/my_tag2.log"
)
}
# global ruleset
ruleset(name="dispatcher"){
# IP filter
if $fromhost-ip '1.2.3.4' then stop
# if the IP passed the filter, then use a ruleset based on the
syslogtag
if (
$syslogtag == 'my_tag1'
or $syslogtag == 'my_tag2'
) then {
call_indirect $syslogtag;
stop
}
}
# tell imtcp to use the global ruleset
input(type="imtcp" port="514" ruleset="dispatcher")
Le 2022-12-08 16:15, Steven D via rsyslog a écrit :
Rsyslog gurus
I have a config that accepts connections from remote hosts and steers
logs
to files based on port. Pretty straightforward... what i'm looking to
do
is "globally" prevent certain ip addresses from ending up in the logs.
(Internal vulnerability scanners I have no control over).
I've tried a few different ways but not coming across anything that
works
globally. Adding something like "if $fromhost-ip '1.2.3.4' then stop"
works just fine on an individual ruleset.
Is there a way I can do this without having to enter duplicate lines in
every ruleset (I have like 30 rulesets) ?
Thanks,
Steven
Config snippet below: "#logname01/02#" is replaced by the relevant
product
in the configuration.
module(load="imudp")
module(load="imtcp" MaxListeners="100" AddtlFrameDelimiter="000"
KeepAlive="on" KeepAlive.Probes="1" KeepAlive.Time="10")
input(type="imudp" port="24514" ruleset="#logname01#_rule")
input(type="imtcp" port="24514" ruleset="#logname01#_rule")
template(name="#logname01#_logs" type="string"
string="/data/logs/#logname01#/24514/%fromhost-ip%/syslog.log")
ruleset(name="#logname01#_rule") {
action(name="#logname01#_rule"
type="omfile"
FileCreateMode="0744"
DirCreateMode="0755"
FileOwner="SIEM"
FileGroup="SIEM"
DirOwner="SIEM"
DirGroup="SIEM"
DynaFile="#logname01#_logs"
DynaFileCacheSize = "50")
}
input(type="imudp" port="25514" ruleset="#logname02#_rule")
input(type="imtcp" port="25514" ruleset="#logname02#_rule")
template(name="#logname02#_logs" type="string"
string="/data/logs/#logname02#/25514/%fromhost-ip%/syslog.log")
ruleset(name="#logname02#_rule") {
action(name="#logname02#_rule"
type="omfile"
FileCreateMode="0744"
DirCreateMode="0755"
FileOwner="SIEM"
FileGroup="SIEM"
DirOwner="SIEM"
DirGroup="SIEM"
DynaFile="#logname02#_logs"
DynaFileCacheSize = "50")
}
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
