Nope - So this looks straight forward to me, but correct some ignorance
on
my end. The way you've defined the "syslogtag" rulesets, it makes me
assume that the syslog config processed in a top down manner, otherwise
logically it doesn't work.
Is that true?
The way we have our syslog config set up is to group all the related
template/ruleset/input stanzas together... Just from an ease of
modification PoV it makes it easier.
The rulesets and templates can be defined in any order.
Each ruleset and template can be in a separate file and loaded in any
order. Eg.:
# /etc/rsyslog.d/00_input.conf
input(type="imtcp" port="514" ruleset="dispatcher")
# /etc/rsyslog.d/00_dispatcher.conf
ruleset(name="dispatcher"){
# use a ruleset based on the syslogtag
if ( $syslogtag == 'my_tag1' or $syslogtag == 'my_tag2' ) then {
call_indirect $syslogtag;
stop
}
}
# /etc/rsyslog.d/10_my_tag1.conf
ruleset(name="my_tag1") {
action( type="omfile" file="/var/log/my_tag1.log" )
}
# /etc/rsyslog.d/20_my_tag2.conf
ruleset(name="my_tag2") {
action( type="omfile" file="/var/log/my_tag2.log")
}
Le 2022-12-09 13:15, Steven D via rsyslog a écrit :
Thanks for all the input, ok so some answers inline
Nope - So this looks straight forward to me, but correct some ignorance
on
my end. The way you've defined the "syslogtag" rulesets, it makes me
assume that the syslog config processed in a top down manner, otherwise
logically it doesn't work.
Is that true?
The way we have our syslog config set up is to group all the related
template/ruleset/input stanzas together... Just from an ease of
modification PoV it makes it easier.
Kurk Mariusz - I don't have control over the sending hosts, they are
vulnerability scanners that indiscriminately scan the environment. I
can't
just iptable drop those same devices from touching the syslog servers
as
that will cause other operational issues.
________________________________
From: rsyslog <rsyslog-boun...@lists.adiscon.com> on behalf of Mariusz
Kruk via rsyslog <rsyslog@lists.adiscon.com>
Sent: Friday, December 9, 2022 5:30 AM
To: rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com>
Cc: Mariusz Kruk <k...@epsilon.eu.org>
Subject: Re: [rsyslog] "Global" fromhost-ip blocklist?
I know that it has already been answered but let me add my three cents
;-)
Firstly, adding condition to $fromhost-ip suggests that you want to
limit based on the source IP, not on the event's content. Which raises
the question - why not simply _not_ send from that host? Or at least
filter it out on the local firewall (most probably iptables).
Secondly, expanding on nope's response - you can have multiple rulesets
chained together so that you have some common "subroutine" and then
branch to specific ruleset depending on how you want to process given
source or data type. You can use lookups or conditions to dynamically
decide to which ruleset you want to route your event to. The
possibilities are endless :-) (and you can end up creating a ruleset
loop and crashing your rsyslogd XD)
Something like.
ruleset(name="ruleset1") {
set $.destination_ruleset="dest1";
call intermediate_ruleset
}
ruleset(name="ruleset2") {
set $.destination_ruleset="dest2";
call intermediate_ruleset
}
ruleset(name="intermediate_ruleset") {
set $.this=$that;
// and other stuff
call_indirect $.destination_ruleset;
}
ruleset(name="dest1") {
...
}
ruleset(name="dest2") {
...
}
MK
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
