pls show your complete config. I guess the ruleset is not bound to
anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
never activated for these messages.
Rainer
El vie, 24 may 2024 a las 13:43, Thomas Raef
(<tr...@wewatchyourwebsite.com>) escribió:
>
> I changed it to:
>
> ruleset(name="drop") {
> if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or
> ($rawmsg contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> But the messages still show up.
>
> If the message is malformed, what can I do?
>
> This is one such message I'm still getting:
>
> "message": type=PATH msg=audit(1715691166.683:1235018): item=1
> name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
> inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted\" OGID=\"redacted\"
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn
> Facebook
>
>
>
> On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <rgerha...@hq.adiscon.com>
> wrote:
>>
>> I guess the message is malformed and the string you look for is inside
>> another field.
>>
>> I would suggest that you use "$rawmsg" instead of "$msg". If that
>> works, a) we are on the right track and b) you actually solved the
>> issue, albeit probably not in the best possible way.
>>
>> HTH
>> Rainer
>>
>> El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
>> (<rsyslog@lists.adiscon.com>) escribió:
>> >
>> > I have rules setup but I want to ignore all entries like this:
>> >
>> > "message": type=PATH msg=audit(1715687344.694:1226486): item=3
>> > name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
>> > inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
>> > nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>> > OUID=\"[redacted]\" OGID=\"[redacted]\"
>> >
>> > I want to ignore all entries that have temp-write-test- in the message.
>> >
>> > I've tried:
>> >
>> > :msg, contains, "temp-write-test-" stop
>> >
>> >
>> >
>> > But I continually get messages with that string in them. I've tried it with
>> > that as the first rule.
>> >
>> >
>> > And I've tried this as well:
>> >
>> >
>> > ruleset(name="drop") {
>> > if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
>> > contains "/bb-plugin/cache") then {
>> > stop
>> > }
>> > }
>> >
>> > input(type="imfile"
>> > File="/var/log/audit/audit.log"
>> > Tag="audit_logs"
>> > ruleset="drop"
>> > reopenOnTruncate="on"
>> > )
>> >
>> >
>> > Nothing works.
>> >
>> >
>> > Can anyone shed some light? Please?
>> >
>> >
>> > Thomas J. Raef
>> > Founder, WeWatchYourWebsite.com
>> > http://wewatchyourwebsite.com
>> > tr...@wewatchyourwebsite.com
>> > LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
>> > Facebook <https://www.facebook.com/WeWatchYourWebsite>
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> > DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
