I have rules setup but I want to ignore all entries like this:
"message": type=PATH msg=audit(1715687344.694:1226486): item=3
name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID=\"[redacted]\" OGID=\"[redacted]\"
I want to ignore all entries that have temp-write-test- in the message.
I've tried:
:msg, contains, "temp-write-test-" stop
But I continually get messages with that string in them. I've tried it with
that as the first rule.
And I've tried this as well:
ruleset(name="drop") {
if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
contains "/bb-plugin/cache") then {
stop
}
}
input(type="imfile"
File="/var/log/audit/audit.log"
Tag="audit_logs"
ruleset="drop"
reopenOnTruncate="on"
)
Nothing works.
Can anyone shed some light? Please?
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
