Re: [rsyslog] Stop actions

David Lang via rsyslog Fri, 24 May 2024 09:21:36 -0700

or you have other actions in the config that happen before your stop takesplace.


David Lang


On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:

Date: Fri, 24 May 2024 13:57:07 +0200
From: Rainer Gerhards via rsyslog <rsyslog@lists.adiscon.com>
To: Thomas Raef <tr...@wewatchyourwebsite.com>
Cc: Rainer Gerhards <rgerha...@hq.adiscon.com>,
    rsyslog-users <rsyslog@lists.adiscon.com>
Subject: Re: [rsyslog] Stop actions

pls show your complete config. I guess the ruleset is not bound to
anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
never activated for these messages.

Rainer

El vie, 24 may 2024 a las 13:43, Thomas Raef
(<tr...@wewatchyourwebsite.com>) escribió:


I changed it to:

ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or ($rawmsg 
contains "/bb-plugin/cache") then {
stop
}
}

But the messages still show up.

If the message is malformed, what can I do?

This is one such message I'm still getting:

"message": type=PATH msg=audit(1715691166.683:1235018): item=1 
name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\" inode=2427162 
dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 
cap_frootid=0 OUID=\"[redacted\" OGID=\"redacted\"

Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn
Facebook



On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <rgerha...@hq.adiscon.com> 
wrote:


I guess the message is malformed and the string you look for is inside
another field.

I would suggest that you use "$rawmsg" instead of "$msg". If that
works, a) we are on the right track and b) you actually solved the
issue, albeit probably not in the best possible way.

HTH
Rainer

El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> I have rules setup but I want to ignore all entries like this:
>
>  "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted]\" OGID=\"[redacted]\"
>
> I want to ignore all entries that have temp-write-test- in the message.
>
> I've tried:
>
> :msg, contains, "temp-write-test-" stop
>
>
>
> But I continually get messages with that string in them. I've tried it with
> that as the first rule.
>
>
> And I've tried this as well:
>
>
> ruleset(name="drop") {
> if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
> contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> input(type="imfile"
> File="/var/log/audit/audit.log"
> Tag="audit_logs"
> ruleset="drop"
> reopenOnTruncate="on"
> )
>
>
> Nothing works.
>
>
> Can anyone shed some light? Please?
>
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
> Facebook <https://www.facebook.com/WeWatchYourWebsite>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Re: [rsyslog] Stop actions

Reply via email to