Re: [rsyslog] Stop actions

Fri, 24 May 2024 03:49:33 -0700 

I guess the message is malformed and the string you look for is inside
another field.

I would suggest that you use "$rawmsg" instead of "$msg". If that
works, a) we are on the right track and b) you actually solved the
issue, albeit probably not in the best possible way.

HTH
Rainer

El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> I have rules setup but I want to ignore all entries like this:
>
>  "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted]\" OGID=\"[redacted]\"
>
> I want to ignore all entries that have temp-write-test- in the message.
>
> I've tried:
>
> :msg, contains, "temp-write-test-" stop
>
>
>
> But I continually get messages with that string in them. I've tried it with
> that as the first rule.
>
>
> And I've tried this as well:
>
>
> ruleset(name="drop") {
> if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
> contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> input(type="imfile"
> File="/var/log/audit/audit.log"
> Tag="audit_logs"
> ruleset="drop"
> reopenOnTruncate="on"
> )
>
>
> Nothing works.
>
>
> Can anyone shed some light? Please?
>
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
> Facebook <https://www.facebook.com/WeWatchYourWebsite>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to