I changed it to: ruleset(name="drop") { if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or ($rawmsg contains "/bb-plugin/cache") then { stop } }
But the messages still show up. If the message is malformed, what can I do? This is one such message I'm still getting: "message": type=PATH msg=audit(1715691166.683:1235018): item=1 name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\" inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID=\"[redacted\" OGID=\"redacted\" Thomas J. Raef Founder, WeWatchYourWebsite.com http://wewatchyourwebsite.com tr...@wewatchyourwebsite.com LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/> Facebook <https://www.facebook.com/WeWatchYourWebsite> On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <rgerha...@hq.adiscon.com> wrote: > I guess the message is malformed and the string you look for is inside > another field. > > I would suggest that you use "$rawmsg" instead of "$msg". If that > works, a) we are on the right track and b) you actually solved the > issue, albeit probably not in the best possible way. > > HTH > Rainer > > El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog > (<rsyslog@lists.adiscon.com>) escribió: > > > > I have rules setup but I want to ignore all entries like this: > > > > "message": type=PATH msg=audit(1715687344.694:1226486): item=3 > > > name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\" > > inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00 > > nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 > > OUID=\"[redacted]\" OGID=\"[redacted]\" > > > > I want to ignore all entries that have temp-write-test- in the message. > > > > I've tried: > > > > :msg, contains, "temp-write-test-" stop > > > > > > > > But I continually get messages with that string in them. I've tried it > with > > that as the first rule. > > > > > > And I've tried this as well: > > > > > > ruleset(name="drop") { > > if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or > ($msg > > contains "/bb-plugin/cache") then { > > stop > > } > > } > > > > input(type="imfile" > > File="/var/log/audit/audit.log" > > Tag="audit_logs" > > ruleset="drop" > > reopenOnTruncate="on" > > ) > > > > > > Nothing works. > > > > > > Can anyone shed some light? Please? > > > > > > Thomas J. Raef > > Founder, WeWatchYourWebsite.com > > http://wewatchyourwebsite.com > > tr...@wewatchyourwebsite.com > > LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/> > > Facebook <https://www.facebook.com/WeWatchYourWebsite> > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards > > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.