我尝试了很多不同的方法。我有一个从代理服务器到端口1522的传入syslog提要。我正在尝试匹配消息/正文“ location =“的一部分,并将每个日志从特定位置发送到其自己的文件。我是在小范围内完成此操作的,但从来没有做过长的多行操作。
示例系统日志:
pip install freetype-py
我在/etc/rsyslog.d/networks.conf文件中尝试了以下变体,但是没有一个匹配位置并定向到其他文件:
TAKE-1:
Feb 22 22:59:51 192.168.0.126 |2019-02-22 22:58:20|reason=Allowed|event_id=6660962988918112262|protocol=HTTP|action=Allowed|transactionsize=8374|responsesize=6073|requestsize=2301|urlcategory=Internet Services|serverip=52.114.76.34|clienttranstime=125000|requestmethod=CONNECT|refererURL=None|useragent=Unknown|product=NSS|location=ABC Corporation|ClientIP=192.168.1.152|status=200|user=ABC Corporation|url=mobile.pipe.aria.microsoft.com|vendor=Zscaler|hostname=mobile.pipe.aria.microsoft.com|clientpublicIP=192.65.41.5|threatcategory=Clean Transaction|threatname=None|filetype=None|appname=Common Office 365 Applications|pagerisk=0|department=Default Department|urlsupercategory=Internet Communication|appclass=Business|dlpengine=None|urlclass=Business Use|threatclass=Clean Transaction|dlpdictionaries=None|fileclass=None|bwthrottle=NO|servertranstime=125000
TAKE-2:
template(name="abc-zscaler-web" type="string" string="/var/rsyslog/zscaler-web/%FROMHOST%/abc-%$year%-%$month%-%$day%.log")
template(name="def-zscaler-web" type="string" string="/var/rsyslog/zscaler-web/%FROMHOST%/def-%$year%-%$month%-%$day%.log")
template(name="ghi-zscaler-web" type="string" string="/var/rsyslog/zscaler-web/%FROMHOST%/ghi-%$year%-%$month%-%$day%.log")
$RuleSet Remote1522
$RuleSet CreateMainQueue on
if $msg contains 'location=ABC ' then {action(type="omfile" DynaFile="abc-zscaler-web") stop}
if $msg contains 'location=DEF ' then {action(type="omfile" DynaFile="def-zscaler-web") stop}
if $msg contains 'location=GHI ' then {action(type="omfile" DynaFile="ghi-zscaler-web") stop}
*.* then {action(type="omfile" DynaFile="abc-zscaler-web") stop}
$InputTCPServerBindRuleset Remote1522
$InputTCPServerRun 1522
TAKE-3
$RuleSet Remote1522
$RuleSet CreateMainQueue on
if $msg contains "location=ABC " then /var/rsyslog/zscaler-web/%FROMHOST%/abc-%$year%-%$month%-%$day%.log
if $msg contains "location=ABC " then stop
if $msg contains "location=DEF " then /var/rsyslog/zscaler-web/%FROMHOST%/def-%$year%-%$month%-%$day%.log
if $msg contains "location=DEF " then stop
if $msg contains "location=GHI " then /var/rsyslog/zscaler-web/%FROMHOST%/ghi-%$year%-%$month%-%$day%.log
if $msg contains "location=GHI " then stop
*.* /var/rsyslog/zscaler-web/%FROMHOST%/abc-%$year%-%$month%-%$day%.log
$InputTCPServerBindRuleset Remote1522
$InputTCPServerRun 1522
TAKE-4(还有更多,但这是最后一个有意义的)
$RuleSet Remote1522
$RuleSet CreateMainQueue on
if ( $msg contains 'location=ABC ') then {
action(type="omfile" file="/var/rsyslog/zscaler-web/%FROMHOST%/abc-%$year%-%$month%-%$day%.log")
} else if ($msg contains 'location=DEF ') then {
action(type="omfile" file="/var/rsyslog/zscaler-web/%FROMHOST%/def-%$year%-%$month%-%$day%.log")
} else if ($msg contains 'location=GHI ') then {
action(type="omfile" file="/var/rsyslog/zscaler-web/%FROMHOST%/ghi-%$year%-%$month%-%$day%.log")
} else {action(type="omfile" file="/var/rsyslog/zscaler-web/%FROMHOST%/abc-%$year%-%$month%-%$day%.log")
}
$InputTCPServerBindRuleset Remote1522
$InputTCPServerRun 1522
我在reiner脚本中缺少某些内容吗?对代码/位置进行了清理,以保护无辜者。
答案 0 :(得分:0)
我不知道这是否只是您在此处的副本中的错误,而是行
$RuleSet CreateMainQueue on
应该是
$RuleSetCreateMainQueue on
如果您使用rsyslogd -N1 -f server.conf
之类的东西测试服务器配置文件的语法,您将看到错误:
rsyslogd: error: extra characters in config line ignored: 'on'
最终结果是,您定义了一个名为 CreateMainQueue 的规则集,而不是 Remote1522 。