Thanks for the tip! You guys rock! Thank you soooo much.
Thomas J. Raef Founder, WeWatchYourWebsite.com http://wewatchyourwebsite.com tr...@wewatchyourwebsite.com LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/> Facebook <https://www.facebook.com/WeWatchYourWebsite> On Fri, May 24, 2024 at 12:57 PM David Lang <da...@lang.hm> wrote: > if you start rsyslog with the -o /path/to/file option, it will write a > copy of > the config file as it sees it with all includes, that is what you should > look > at to figure the order of things. Many distros put the includes late in > the > config, so putting things in an included file may be too late for some > things. > > David Lang > > > On Fri, 24 May 2024, Thomas Raef wrote: > > > Date: Fri, 24 May 2024 12:37:15 -0400 > > From: Thomas Raef <tr...@wewatchyourwebsite.com> > > To: David Lang <da...@lang.hm> > > Cc: Rainer Gerhards via rsyslog <rsyslog@lists.adiscon.com>, > > Rainer Gerhards <rgerha...@hq.adiscon.com> > > Subject: Re: [rsyslog] Stop actions > > > > I created a lower numbered rules file with just this in it: > > > > ruleset(name="drop") { > > if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") > or > > ($rawmsg contains "/bb-plugin/cache") then { > > stop > > } > > } > > > > input(type="imfile" > > File="/var/log/audit/audit.log" > > Tag="audit_logs" > > ruleset="drop" > > reopenOnTruncate="on" > > ) > > > > And it appears to be working. > > Thomas J. Raef > > Founder, WeWatchYourWebsite.com > > http://wewatchyourwebsite.com > > tr...@wewatchyourwebsite.com > > LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/> > > Facebook <https://www.facebook.com/WeWatchYourWebsite> > > > > > > > > On Fri, May 24, 2024 at 12:21 PM David Lang <da...@lang.hm> wrote: > > > >> or you have other actions in the config that happen before your stop > takes > >> place. > >> > >> David Lang > >> > >> On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote: > >> > >>> Date: Fri, 24 May 2024 13:57:07 +0200 > >>> From: Rainer Gerhards via rsyslog <rsyslog@lists.adiscon.com> > >>> To: Thomas Raef <tr...@wewatchyourwebsite.com> > >>> Cc: Rainer Gerhards <rgerha...@hq.adiscon.com>, > >>> rsyslog-users <rsyslog@lists.adiscon.com> > >>> Subject: Re: [rsyslog] Stop actions > >>> > >>> pls show your complete config. I guess the ruleset is not bound to > >>> anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is > >>> never activated for these messages. > >>> > >>> Rainer > >>> > >>> El vie, 24 may 2024 a las 13:43, Thomas Raef > >>> (<tr...@wewatchyourwebsite.com>) escribió: > >>>> > >>>> I changed it to: > >>>> > >>>> ruleset(name="drop") { > >>>> if ($rawmsg contains "temp-write-test-") or ($rawmsg contains > >> "-mc.log") or ($rawmsg contains "/bb-plugin/cache") then { > >>>> stop > >>>> } > >>>> } > >>>> > >>>> But the messages still show up. > >>>> > >>>> If the message is malformed, what can I do? > >>>> > >>>> This is one such message I'm still getting: > >>>> > >>>> "message": type=PATH msg=audit(1715691166.683:1235018): item=1 > >> > name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\" > >> inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00 > >> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > >> OUID=\"[redacted\" OGID=\"redacted\" > >>>> > >>>> Thomas J. Raef > >>>> Founder, WeWatchYourWebsite.com > >>>> http://wewatchyourwebsite.com > >>>> tr...@wewatchyourwebsite.com > >>>> LinkedIn > >>>> Facebook > >>>> > >>>> > >>>> > >>>> On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards < > >> rgerha...@hq.adiscon.com> wrote: > >>>>> > >>>>> I guess the message is malformed and the string you look for is > inside > >>>>> another field. > >>>>> > >>>>> I would suggest that you use "$rawmsg" instead of "$msg". If that > >>>>> works, a) we are on the right track and b) you actually solved the > >>>>> issue, albeit probably not in the best possible way. > >>>>> > >>>>> HTH > >>>>> Rainer > >>>>> > >>>>> El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog > >>>>> (<rsyslog@lists.adiscon.com>) escribió: > >>>>>> > >>>>>> I have rules setup but I want to ignore all entries like this: > >>>>>> > >>>>>> "message": type=PATH msg=audit(1715687344.694:1226486): item=3 > >>>>>> > >> > name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\" > >>>>>> inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00 > >>>>>> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > >>>>>> OUID=\"[redacted]\" OGID=\"[redacted]\" > >>>>>> > >>>>>> I want to ignore all entries that have temp-write-test- in the > >> message. > >>>>>> > >>>>>> I've tried: > >>>>>> > >>>>>> :msg, contains, "temp-write-test-" stop > >>>>>> > >>>>>> > >>>>>> > >>>>>> But I continually get messages with that string in them. I've tried > >> it with > >>>>>> that as the first rule. > >>>>>> > >>>>>> > >>>>>> And I've tried this as well: > >>>>>> > >>>>>> > >>>>>> ruleset(name="drop") { > >>>>>> if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") > >> or ($msg > >>>>>> contains "/bb-plugin/cache") then { > >>>>>> stop > >>>>>> } > >>>>>> } > >>>>>> > >>>>>> input(type="imfile" > >>>>>> File="/var/log/audit/audit.log" > >>>>>> Tag="audit_logs" > >>>>>> ruleset="drop" > >>>>>> reopenOnTruncate="on" > >>>>>> ) > >>>>>> > >>>>>> > >>>>>> Nothing works. > >>>>>> > >>>>>> > >>>>>> Can anyone shed some light? Please? > >>>>>> > >>>>>> > >>>>>> Thomas J. Raef > >>>>>> Founder, WeWatchYourWebsite.com > >>>>>> http://wewatchyourwebsite.com > >>>>>> tr...@wewatchyourwebsite.com > >>>>>> LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/> > >>>>>> Facebook <https://www.facebook.com/WeWatchYourWebsite> > >>>>>> _______________________________________________ > >>>>>> rsyslog mailing list > >>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>>>>> http://www.rsyslog.com/professional-services/ > >>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST > if > >> you DON'T LIKE THAT. > >>> _______________________________________________ > >>> rsyslog mailing list > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
