I created a lower numbered rules file with just this in it:
ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or
($rawmsg contains "/bb-plugin/cache") then {
stop
}
}
input(type="imfile"
File="/var/log/audit/audit.log"
Tag="audit_logs"
ruleset="drop"
reopenOnTruncate="on"
)
And it appears to be working.
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>
On Fri, May 24, 2024 at 12:21 PM David Lang <da...@lang.hm> wrote:
> or you have other actions in the config that happen before your stop takes
> place.
>
> David Lang
>
> On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:
>
> > Date: Fri, 24 May 2024 13:57:07 +0200
> > From: Rainer Gerhards via rsyslog <rsyslog@lists.adiscon.com>
> > To: Thomas Raef <tr...@wewatchyourwebsite.com>
> > Cc: Rainer Gerhards <rgerha...@hq.adiscon.com>,
> > rsyslog-users <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] Stop actions
> >
> > pls show your complete config. I guess the ruleset is not bound to
> > anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
> > never activated for these messages.
> >
> > Rainer
> >
> > El vie, 24 may 2024 a las 13:43, Thomas Raef
> > (<tr...@wewatchyourwebsite.com>) escribió:
> >>
> >> I changed it to:
> >>
> >> ruleset(name="drop") {
> >> if ($rawmsg contains "temp-write-test-") or ($rawmsg contains
> "-mc.log") or ($rawmsg contains "/bb-plugin/cache") then {
> >> stop
> >> }
> >> }
> >>
> >> But the messages still show up.
> >>
> >> If the message is malformed, what can I do?
> >>
> >> This is one such message I'm still getting:
> >>
> >> "message": type=PATH msg=audit(1715691166.683:1235018): item=1
> name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
> inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted\" OGID=\"redacted\"
> >>
> >> Thomas J. Raef
> >> Founder, WeWatchYourWebsite.com
> >> http://wewatchyourwebsite.com
> >> tr...@wewatchyourwebsite.com
> >> LinkedIn
> >> Facebook
> >>
> >>
> >>
> >> On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <
> rgerha...@hq.adiscon.com> wrote:
> >>>
> >>> I guess the message is malformed and the string you look for is inside
> >>> another field.
> >>>
> >>> I would suggest that you use "$rawmsg" instead of "$msg". If that
> >>> works, a) we are on the right track and b) you actually solved the
> >>> issue, albeit probably not in the best possible way.
> >>>
> >>> HTH
> >>> Rainer
> >>>
> >>> El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
> >>> (<rsyslog@lists.adiscon.com>) escribió:
> >>> >
> >>> > I have rules setup but I want to ignore all entries like this:
> >>> >
> >>> > "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> >>> >
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> >>> > inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> >>> > nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> >>> > OUID=\"[redacted]\" OGID=\"[redacted]\"
> >>> >
> >>> > I want to ignore all entries that have temp-write-test- in the
> message.
> >>> >
> >>> > I've tried:
> >>> >
> >>> > :msg, contains, "temp-write-test-" stop
> >>> >
> >>> >
> >>> >
> >>> > But I continually get messages with that string in them. I've tried
> it with
> >>> > that as the first rule.
> >>> >
> >>> >
> >>> > And I've tried this as well:
> >>> >
> >>> >
> >>> > ruleset(name="drop") {
> >>> > if ($msg contains "temp-write-test-") or ($msg contains "-mc.log")
> or ($msg
> >>> > contains "/bb-plugin/cache") then {
> >>> > stop
> >>> > }
> >>> > }
> >>> >
> >>> > input(type="imfile"
> >>> > File="/var/log/audit/audit.log"
> >>> > Tag="audit_logs"
> >>> > ruleset="drop"
> >>> > reopenOnTruncate="on"
> >>> > )
> >>> >
> >>> >
> >>> > Nothing works.
> >>> >
> >>> >
> >>> > Can anyone shed some light? Please?
> >>> >
> >>> >
> >>> > Thomas J. Raef
> >>> > Founder, WeWatchYourWebsite.com
> >>> > http://wewatchyourwebsite.com
> >>> > tr...@wewatchyourwebsite.com
> >>> > LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
> >>> > Facebook <https://www.facebook.com/WeWatchYourWebsite>
> >>> > _______________________________________________
> >>> > rsyslog mailing list
> >>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> > http://www.rsyslog.com/professional-services/
> >>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
