Re: [rsyslog] Stop actions
Thanks for the tip!
You guys rock! Thank you s much.
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>
On Fri, May 24, 2024 at 12:57 PM David Lang wrote:
> if you start rsyslog with the -o /path/to/file option, it will write a
> copy of
> the config file as it sees it with all includes, that is what you should
> look
> at to figure the order of things. Many distros put the includes late in
> the
> config, so putting things in an included file may be too late for some
> things.
>
> David Lang
>
>
> On Fri, 24 May 2024, Thomas Raef wrote:
>
> > Date: Fri, 24 May 2024 12:37:15 -0400
> > From: Thomas Raef
> > To: David Lang
> > Cc: Rainer Gerhards via rsyslog ,
> > Rainer Gerhards
> > Subject: Re: [rsyslog] Stop actions
> >
> > I created a lower numbered rules file with just this in it:
> >
> > ruleset(name="drop") {
> > if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log")
> or
> > ($rawmsg contains "/bb-plugin/cache") then {
> > stop
> > }
> > }
> >
> > input(type="imfile"
> > File="/var/log/audit/audit.log"
> > Tag="audit_logs"
> > ruleset="drop"
> > reopenOnTruncate="on"
> > )
> >
> > And it appears to be working.
> > Thomas J. Raef
> > Founder, WeWatchYourWebsite.com
> > http://wewatchyourwebsite.com
> > tr...@wewatchyourwebsite.com
> > LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
> > Facebook <https://www.facebook.com/WeWatchYourWebsite>
> >
> >
> >
> > On Fri, May 24, 2024 at 12:21 PM David Lang wrote:
> >
> >> or you have other actions in the config that happen before your stop
> takes
> >> place.
> >>
> >> David Lang
> >>
> >> On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:
> >>
> >>> Date: Fri, 24 May 2024 13:57:07 +0200
> >>> From: Rainer Gerhards via rsyslog
> >>> To: Thomas Raef
> >>> Cc: Rainer Gerhards ,
> >>> rsyslog-users
> >>> Subject: Re: [rsyslog] Stop actions
> >>>
> >>> pls show your complete config. I guess the ruleset is not bound to
> >>> anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
> >>> never activated for these messages.
> >>>
> >>> Rainer
> >>>
> >>> El vie, 24 may 2024 a las 13:43, Thomas Raef
> >>> () escribió:
> >>>>
> >>>> I changed it to:
> >>>>
> >>>> ruleset(name="drop") {
> >>>> if ($rawmsg contains "temp-write-test-") or ($rawmsg contains
> >> "-mc.log") or ($rawmsg contains "/bb-plugin/cache") then {
> >>>> stop
> >>>> }
> >>>> }
> >>>>
> >>>> But the messages still show up.
> >>>>
> >>>> If the message is malformed, what can I do?
> >>>>
> >>>> This is one such message I'm still getting:
> >>>>
> >>>> "message": type=PATH msg=audit(1715691166.683:1235018): item=1
> >>
> name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
> >> inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
> >> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> >> OUID=\"[redacted\" OGID=\"redacted\"
> >>>>
> >>>> Thomas J. Raef
> >>>> Founder, WeWatchYourWebsite.com
> >>>> http://wewatchyourwebsite.com
> >>>> tr...@wewatchyourwebsite.com
> >>>> LinkedIn
> >>>> Facebook
> >>>>
> >>>>
> >>>>
> >>>> On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <
> >> rgerha...@hq.adiscon.com> wrote:
> >>>>>
> >>>>> I guess the message is malformed and the string you look for is
> inside
> >>>>> another field.
> >>>>>
> >>>>> I would suggest that you use "$rawmsg" instead of "$msg". If that
> >>>>> works, a) we are on the right track and b) you actually solved the
> >>>>> issue, albeit p
Re: [rsyslog] Stop actions
if you start rsyslog with the -o /path/to/file option, it will write a copy of
the config file as it sees it with all includes, that is what you should look
at to figure the order of things. Many distros put the includes late in the
config, so putting things in an included file may be too late for some things.
David Lang
On Fri, 24 May 2024, Thomas Raef wrote:
Date: Fri, 24 May 2024 12:37:15 -0400
From: Thomas Raef
To: David Lang
Cc: Rainer Gerhards via rsyslog ,
Rainer Gerhards
Subject: Re: [rsyslog] Stop actions
I created a lower numbered rules file with just this in it:
ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or
($rawmsg contains "/bb-plugin/cache") then {
stop
}
}
input(type="imfile"
File="/var/log/audit/audit.log"
Tag="audit_logs"
ruleset="drop"
reopenOnTruncate="on"
)
And it appears to be working.
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>
On Fri, May 24, 2024 at 12:21 PM David Lang wrote:
or you have other actions in the config that happen before your stop takes
place.
David Lang
On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:
Date: Fri, 24 May 2024 13:57:07 +0200
From: Rainer Gerhards via rsyslog
To: Thomas Raef
Cc: Rainer Gerhards ,
rsyslog-users
Subject: Re: [rsyslog] Stop actions
pls show your complete config. I guess the ruleset is not bound to
anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
never activated for these messages.
Rainer
El vie, 24 may 2024 a las 13:43, Thomas Raef
() escribió:
I changed it to:
ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains
"-mc.log") or ($rawmsg contains "/bb-plugin/cache") then {
stop
}
}
But the messages still show up.
If the message is malformed, what can I do?
This is one such message I'm still getting:
"message": type=PATH msg=audit(1715691166.683:1235018): item=1
name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID=\"[redacted\" OGID=\"redacted\"
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn
Facebook
On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <
rgerha...@hq.adiscon.com> wrote:
I guess the message is malformed and the string you look for is inside
another field.
I would suggest that you use "$rawmsg" instead of "$msg". If that
works, a) we are on the right track and b) you actually solved the
issue, albeit probably not in the best possible way.
HTH
Rainer
El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
() escribió:
I have rules setup but I want to ignore all entries like this:
"message": type=PATH msg=audit(1715687344.694:1226486): item=3
name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID=\"[redacted]\" OGID=\"[redacted]\"
I want to ignore all entries that have temp-write-test- in the
message.
I've tried:
:msg, contains, "temp-write-test-" stop
But I continually get messages with that string in them. I've tried
it with
that as the first rule.
And I've tried this as well:
ruleset(name="drop") {
if ($msg contains "temp-write-test-") or ($msg contains "-mc.log")
or ($msg
contains "/bb-plugin/cache") then {
stop
}
}
input(type="imfile"
File="/var/log/audit/audit.log"
Tag="audit_logs"
ruleset="drop"
reopenOnTruncate="on"
)
Nothing works.
Can anyone shed some light? Please?
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
you DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http:/
Re: [rsyslog] Stop actions
I created a lower numbered rules file with just this in it:
ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or
($rawmsg contains "/bb-plugin/cache") then {
stop
}
}
input(type="imfile"
File="/var/log/audit/audit.log"
Tag="audit_logs"
ruleset="drop"
reopenOnTruncate="on"
)
And it appears to be working.
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
Facebook <https://www.facebook.com/WeWatchYourWebsite>
On Fri, May 24, 2024 at 12:21 PM David Lang wrote:
> or you have other actions in the config that happen before your stop takes
> place.
>
> David Lang
>
> On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:
>
> > Date: Fri, 24 May 2024 13:57:07 +0200
> > From: Rainer Gerhards via rsyslog
> > To: Thomas Raef
> > Cc: Rainer Gerhards ,
> > rsyslog-users
> > Subject: Re: [rsyslog] Stop actions
> >
> > pls show your complete config. I guess the ruleset is not bound to
> > anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
> > never activated for these messages.
> >
> > Rainer
> >
> > El vie, 24 may 2024 a las 13:43, Thomas Raef
> > () escribió:
> >>
> >> I changed it to:
> >>
> >> ruleset(name="drop") {
> >> if ($rawmsg contains "temp-write-test-") or ($rawmsg contains
> "-mc.log") or ($rawmsg contains "/bb-plugin/cache") then {
> >> stop
> >> }
> >> }
> >>
> >> But the messages still show up.
> >>
> >> If the message is malformed, what can I do?
> >>
> >> This is one such message I'm still getting:
> >>
> >> "message": type=PATH msg=audit(1715691166.683:1235018): item=1
> name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
> inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted\" OGID=\"redacted\"
> >>
> >> Thomas J. Raef
> >> Founder, WeWatchYourWebsite.com
> >> http://wewatchyourwebsite.com
> >> tr...@wewatchyourwebsite.com
> >> LinkedIn
> >> Facebook
> >>
> >>
> >>
> >> On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards <
> rgerha...@hq.adiscon.com> wrote:
> >>>
> >>> I guess the message is malformed and the string you look for is inside
> >>> another field.
> >>>
> >>> I would suggest that you use "$rawmsg" instead of "$msg". If that
> >>> works, a) we are on the right track and b) you actually solved the
> >>> issue, albeit probably not in the best possible way.
> >>>
> >>> HTH
> >>> Rainer
> >>>
> >>> El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
> >>> () escribió:
> >>> >
> >>> > I have rules setup but I want to ignore all entries like this:
> >>> >
> >>> > "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> >>> >
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> >>> > inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> >>> > nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> >>> > OUID=\"[redacted]\" OGID=\"[redacted]\"
> >>> >
> >>> > I want to ignore all entries that have temp-write-test- in the
> message.
> >>> >
> >>> > I've tried:
> >>> >
> >>> > :msg, contains, "temp-write-test-" stop
> >>> >
> >>> >
> >>> >
> >>> > But I continually get messages with that string in them. I've tried
> it with
> >>> > that as the first rule.
> >>> >
> >>> >
> >>> > And I've tried this as well:
> >>> >
> >>> >
> >>> > ruleset(name="drop") {
> >>> > if ($msg contains "temp-write-test-") or ($msg contains "-mc.log")
> or ($msg
> >>> > contains "/bb-plugin/cache") then {
> >>> > stop
> >>> > }
> >>> > }
> >>
Re: [rsyslog] Stop actions
or you have other actions in the config that happen before your stop takes
place.
David Lang
On Fri, 24 May 2024, Rainer Gerhards via rsyslog wrote:
Date: Fri, 24 May 2024 13:57:07 +0200
From: Rainer Gerhards via rsyslog
To: Thomas Raef
Cc: Rainer Gerhards ,
rsyslog-users
Subject: Re: [rsyslog] Stop actions
pls show your complete config. I guess the ruleset is not bound to
anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
never activated for these messages.
Rainer
El vie, 24 may 2024 a las 13:43, Thomas Raef
() escribió:
I changed it to:
ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or ($rawmsg
contains "/bb-plugin/cache") then {
stop
}
}
But the messages still show up.
If the message is malformed, what can I do?
This is one such message I'm still getting:
"message": type=PATH msg=audit(1715691166.683:1235018): item=1
name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\" inode=2427162
dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0
cap_frootid=0 OUID=\"[redacted\" OGID=\"redacted\"
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn
Facebook
On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards
wrote:
I guess the message is malformed and the string you look for is inside
another field.
I would suggest that you use "$rawmsg" instead of "$msg". If that
works, a) we are on the right track and b) you actually solved the
issue, albeit probably not in the best possible way.
HTH
Rainer
El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
() escribió:
>
> I have rules setup but I want to ignore all entries like this:
>
> "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted]\" OGID=\"[redacted]\"
>
> I want to ignore all entries that have temp-write-test- in the message.
>
> I've tried:
>
> :msg, contains, "temp-write-test-" stop
>
>
>
> But I continually get messages with that string in them. I've tried it with
> that as the first rule.
>
>
> And I've tried this as well:
>
>
> ruleset(name="drop") {
> if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
> contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> input(type="imfile"
> File="/var/log/audit/audit.log"
> Tag="audit_logs"
> ruleset="drop"
> reopenOnTruncate="on"
> )
>
>
> Nothing works.
>
>
> Can anyone shed some light? Please?
>
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn <https://www.linkedin.com/in/thomas-raef-74b93a14/>
> Facebook <https://www.facebook.com/WeWatchYourWebsite>
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] Stop actions
pls show your complete config. I guess the ruleset is not bound to
anything. Otherwise, $rawmsg MUST fit. As such, I think the ruleset is
never activated for these messages.
Rainer
El vie, 24 may 2024 a las 13:43, Thomas Raef
() escribió:
>
> I changed it to:
>
> ruleset(name="drop") {
> if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or
> ($rawmsg contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> But the messages still show up.
>
> If the message is malformed, what can I do?
>
> This is one such message I'm still getting:
>
> "message": type=PATH msg=audit(1715691166.683:1235018): item=1
> name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
> inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted\" OGID=\"redacted\"
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn
> Facebook
>
>
>
> On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards
> wrote:
>>
>> I guess the message is malformed and the string you look for is inside
>> another field.
>>
>> I would suggest that you use "$rawmsg" instead of "$msg". If that
>> works, a) we are on the right track and b) you actually solved the
>> issue, albeit probably not in the best possible way.
>>
>> HTH
>> Rainer
>>
>> El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
>> () escribió:
>> >
>> > I have rules setup but I want to ignore all entries like this:
>> >
>> > "message": type=PATH msg=audit(1715687344.694:1226486): item=3
>> > name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
>> > inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
>> > nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
>> > OUID=\"[redacted]\" OGID=\"[redacted]\"
>> >
>> > I want to ignore all entries that have temp-write-test- in the message.
>> >
>> > I've tried:
>> >
>> > :msg, contains, "temp-write-test-" stop
>> >
>> >
>> >
>> > But I continually get messages with that string in them. I've tried it with
>> > that as the first rule.
>> >
>> >
>> > And I've tried this as well:
>> >
>> >
>> > ruleset(name="drop") {
>> > if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
>> > contains "/bb-plugin/cache") then {
>> > stop
>> > }
>> > }
>> >
>> > input(type="imfile"
>> > File="/var/log/audit/audit.log"
>> > Tag="audit_logs"
>> > ruleset="drop"
>> > reopenOnTruncate="on"
>> > )
>> >
>> >
>> > Nothing works.
>> >
>> >
>> > Can anyone shed some light? Please?
>> >
>> >
>> > Thomas J. Raef
>> > Founder, WeWatchYourWebsite.com
>> > http://wewatchyourwebsite.com
>> > tr...@wewatchyourwebsite.com
>> > LinkedIn
>> > ___
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> > DON'T LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] Stop actions
I changed it to:
ruleset(name="drop") {
if ($rawmsg contains "temp-write-test-") or ($rawmsg contains "-mc.log") or
($rawmsg contains "/bb-plugin/cache") then {
stop
}
}
But the messages still show up.
If the message is malformed, what can I do?
This is one such message I'm still getting:
"message": type=PATH msg=audit(1715691166.683:1235018): item=1
name=\"/var/www/[redacted]/htdocs/wp-content/mc_data/e0dd02283d6008e11343bf4b5d38ced4-mc.log\"
inode=2427162 dev=08:01 mode=0100644 ouid=1010 ogid=2011 rdev=00:00
nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
OUID=\"[redacted\" OGID=\"redacted\"
Thomas J. Raef
Founder, WeWatchYourWebsite.com
http://wewatchyourwebsite.com
tr...@wewatchyourwebsite.com
LinkedIn
On Fri, May 24, 2024 at 6:49 AM Rainer Gerhards
wrote:
> I guess the message is malformed and the string you look for is inside
> another field.
>
> I would suggest that you use "$rawmsg" instead of "$msg". If that
> works, a) we are on the right track and b) you actually solved the
> issue, albeit probably not in the best possible way.
>
> HTH
> Rainer
>
> El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
> () escribió:
> >
> > I have rules setup but I want to ignore all entries like this:
> >
> > "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> >
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> > inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> > nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> > OUID=\"[redacted]\" OGID=\"[redacted]\"
> >
> > I want to ignore all entries that have temp-write-test- in the message.
> >
> > I've tried:
> >
> > :msg, contains, "temp-write-test-" stop
> >
> >
> >
> > But I continually get messages with that string in them. I've tried it
> with
> > that as the first rule.
> >
> >
> > And I've tried this as well:
> >
> >
> > ruleset(name="drop") {
> > if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or
> ($msg
> > contains "/bb-plugin/cache") then {
> > stop
> > }
> > }
> >
> > input(type="imfile"
> > File="/var/log/audit/audit.log"
> > Tag="audit_logs"
> > ruleset="drop"
> > reopenOnTruncate="on"
> > )
> >
> >
> > Nothing works.
> >
> >
> > Can anyone shed some light? Please?
> >
> >
> > Thomas J. Raef
> > Founder, WeWatchYourWebsite.com
> > http://wewatchyourwebsite.com
> > tr...@wewatchyourwebsite.com
> > LinkedIn
> > ___
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
Re: [rsyslog] Stop actions
I guess the message is malformed and the string you look for is inside
another field.
I would suggest that you use "$rawmsg" instead of "$msg". If that
works, a) we are on the right track and b) you actually solved the
issue, albeit probably not in the best possible way.
HTH
Rainer
El vie, 24 may 2024 a las 12:28, Thomas Raef via rsyslog
() escribió:
>
> I have rules setup but I want to ignore all entries like this:
>
> "message": type=PATH msg=audit(1715687344.694:1226486): item=3
> name=\"/var/www/[redacted].com/htdocs/wp-content/temp-write-test-12345467\"
> inode=1661307 dev=08:01 mode=0100644 ouid=1005 ogid=2006 rdev=00:00
> nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
> OUID=\"[redacted]\" OGID=\"[redacted]\"
>
> I want to ignore all entries that have temp-write-test- in the message.
>
> I've tried:
>
> :msg, contains, "temp-write-test-" stop
>
>
>
> But I continually get messages with that string in them. I've tried it with
> that as the first rule.
>
>
> And I've tried this as well:
>
>
> ruleset(name="drop") {
> if ($msg contains "temp-write-test-") or ($msg contains "-mc.log") or ($msg
> contains "/bb-plugin/cache") then {
> stop
> }
> }
>
> input(type="imfile"
> File="/var/log/audit/audit.log"
> Tag="audit_logs"
> ruleset="drop"
> reopenOnTruncate="on"
> )
>
>
> Nothing works.
>
>
> Can anyone shed some light? Please?
>
>
> Thomas J. Raef
> Founder, WeWatchYourWebsite.com
> http://wewatchyourwebsite.com
> tr...@wewatchyourwebsite.com
> LinkedIn
> ___
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
___
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
