rsyslog Filtering Based on IP Address with Wildcards
I was actually able to discover the solution on my own after finding a debug option for running rsyslog. Apparently, you can call rsyslogd directly from the console like so:
rsyslogd -d
Doing that will show a live stream of all rule parsing. After a ton of trial and error using this trick, I was able to determine that my filter rules were failing because several parts needed, not just escaped, but double escaped. This really surprised me.
Here is what my final rule looked like:
:fromhost-ip, regex, "10\\.[0-9]\\+\\.1\\.2" -/var/log/test.log
& ~
And here is the output for a couple of successful examples. Notice that the + has to show up here as escaped which is strange because no matches are found if you plug it into the official rsyslog regex tester this way:
Filter: check for property 'fromhost-ip' (value '10.1.1.2') regex '10\.[0-9]\+\.1\.2': TRUE
Filter: check for property 'fromhost-ip' (value '10.24.1.2') regex '10\.[0-9]\+\.1\.2': TRUE
In case anyone reading this some day is curious, here are some of my trial and error examples, most of which simply failed entirely:
Filter: check for property 'fromhost-ip' (value '10.1.1.2') regex '10.[0-9]+.1.2': FALSE
Filter: check for property 'fromhost-ip' (value '10.1.1.2') regex '^10.[0-9]+.1.2$': FALSE
Filter: check for property 'fromhost-ip' (value '10.1.1.2') regex '10\.[0-9]+\.1\.2': FALSE
Filter: check for property 'fromhost-ip' (value '10.1.1.2') regex '10\.1\.1\.2': TRUE
Filter: check for property 'fromhost-ip' (value '10.1.1.2') regex '10\.[0-9]\.1\.2': TRUE
Filter: check for property 'fromhost-ip' (value '10.1.1.2') regex '10\.[0-9]+\.1\.2': FALSE
Related videos on Youtube
10 : 10
01 : 20
02 : 20
01 : 49
01 : 58
01 : 17
10 : 19
11 : 53
Brad Turner
Programming has been a hobby of mine since I first started when I was about 7. My first programs were written using Microsoft QBasic on my old DOS PC. Around the same time, I took a summer course where I used Logo. I've been doing hobby programming at home in my free time ever since. I took two years of classes in high school, as well. In 2004, I went off to college. On my first day, I bought a textbook on PHP and MySQL from the campus bookstore that was unrelated to any of my actual classes. Rather than going to class or doing any schoolwork, I read the book obsessively and dropped out. Ever since then, I've loved working with data driven applications. Recently, I've been learning a LOT more about different database theories and techniques. With this learning I've found a new love for database design and I work with complex relational databases almost daily along with my hobby application development. Professionally, I just started working for a technology company that focuses on social networking and eCommerce. At this company, my primary tasks have been working on website frontends using PHP and MySQL, although I hope to be moved to the backend someday.
Updated on September 18, 2022Comments
-
Brad Turner over 1 year
I have some syslog traffic being processed by rsyslog and I'd like to set up filters to store the logs based on the IP addresses of the source devices. I have a large number of devices and would prefer to avoid creating a rule for each device. The IP scheme is consistent enough that I would think I could handle everything with a single rule but I'm having trouble getting it to work.
Here are a couple of (failed) examples of what I'm trying to accomplish:
:FROMHOST, regex, "10\.[0-9]+\.1\.2" -/var/log/test.log & ~or
if ( re_match($fromhost-ip, '10\.[0-9]+\.1\.2') ) then { -/var/log/test.log } & ~Basically, the IP scheme for these devices will always be 10.*.1.2, where * is a 2 digit number corresponding to the location of the device.
Can someone give me an idea of where I'm going wrong with this?
Thank you!