I know that it has already been answered but let me add my three cents ;-)
Firstly, adding condition to $fromhost-ip suggests that you want to
limit based on the source IP, not on the event's content. Which raises
the question - why not simply _not_ send from that host? Or at least
filter it out on the local firewall (most probably iptables).
Secondly, expanding on nope's response - you can have multiple rulesets
chained together so that you have some common "subroutine" and then
branch to specific ruleset depending on how you want to process given
source or data type. You can use lookups or conditions to dynamically
decide to which ruleset you want to route your event to. The
possibilities are endless :-) (and you can end up creating a ruleset
loop and crashing your rsyslogd XD)
Something like.
ruleset(name="ruleset1") {
set $.destination_ruleset="dest1";
call intermediate_ruleset
}
ruleset(name="ruleset2") {
set $.destination_ruleset="dest2";
call intermediate_ruleset
}
ruleset(name="intermediate_ruleset") {
set $.this=$that;
// and other stuff
call_indirect $.destination_ruleset;
}
ruleset(name="dest1") {
...
}
ruleset(name="dest2") {
...
}
MK
On 8.12.2022 16:15, Steven D via rsyslog wrote:
Rsyslog gurus
I have a config that accepts connections from remote hosts and steers logs to files based
on port. Pretty straightforward... what i'm looking to do is "globally" prevent
certain ip addresses from ending up in the logs. (Internal vulnerability scanners I have
no control over).
I've tried a few different ways but not coming across anything that works globally.
Adding something like "if $fromhost-ip '1.2.3.4' then stop" works just fine on
an individual ruleset.
Is there a way I can do this without having to enter duplicate lines in every
ruleset (I have like 30 rulesets) ?
Thanks,
Steven
Config snippet below: "#logname01/02#" is replaced by the relevant product in
the configuration.
module(load="imudp")
module(load="imtcp" MaxListeners="100" AddtlFrameDelimiter="000" KeepAlive="on"
KeepAlive.Probes="1" KeepAlive.Time="10")
input(type="imudp" port="24514" ruleset="#logname01#_rule")
input(type="imtcp" port="24514" ruleset="#logname01#_rule")
template(name="#logname01#_logs" type="string"
string="/data/logs/#logname01#/24514/%fromhost-ip%/syslog.log")
ruleset(name="#logname01#_rule") {
action(name="#logname01#_rule"
type="omfile"
FileCreateMode="0744"
DirCreateMode="0755"
FileOwner="SIEM"
FileGroup="SIEM"
DirOwner="SIEM"
DirGroup="SIEM"
DynaFile="#logname01#_logs"
DynaFileCacheSize = "50")
}
input(type="imudp" port="25514" ruleset="#logname02#_rule")
input(type="imtcp" port="25514" ruleset="#logname02#_rule")
template(name="#logname02#_logs" type="string"
string="/data/logs/#logname02#/25514/%fromhost-ip%/syslog.log")
ruleset(name="#logname02#_rule") {
action(name="#logname02#_rule"
type="omfile"
FileCreateMode="0744"
DirCreateMode="0755"
FileOwner="SIEM"
FileGroup="SIEM"
DirOwner="SIEM"
DirGroup="SIEM"
DynaFile="#logname02#_logs"
DynaFileCacheSize = "50")
}
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
