On Tue, 31 Jan 2017, James wrote:
Hi,
I'm new to rsyslog, trying to get something fairly basic to work but
failing to follow the documentation it seems.
I use fail2ban which is hard-coded to output its syslog at facility
"daemon". I could edit the source, but would rather skin the cat another
way.
daemon.* obviously has lots of other stuff (DHCP, Automount, etc) and I'd
like to filter it. I want to send all fail2ban logs to a separate file and
I want to send the lines specific to ban/unbans to a remote server. What
I've got in my rsyslog.conf is:
#Log all fail2ban locally
:syslogtag, contains, "fail2ban"
daemon.* /var/log/fail2ban.log
you ahve two different statements here, only one of which is complete
:syslogtag, contains, "fail2ban" /var/log/fail2ban.log
#Log bans & unbans to remote
:msg, contains, "ssh-slowattack"
daemon.* @@10.0.0.1:5000
What I get with this is a blank fail2ban.log and *all* daemon facility
events on the remote server. Example log portion:
<30>Jan 31 09:08:55 testserver fail2ban.jail : INFO Jail 'fail2ban'
started
<28>Jan 31 09:11:38 testserver fail2ban.actions: WARNING [ssh-slowattack]
Ban 10.0.0.2
<28>Jan 31 09:17:05 testserver fail2ban.actions: WARNING [ssh-slowattack]
Unban 10.0.0.2
<30>Jan 31 10:39:37 testserver dhclient: DHCPREQUEST on eth0 to 10.10.0.1
port 67
Rsyslog version, which I can't currently change, is rsyslog-3.22.1-7.el5
Thanks
James
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.