rsyslog

Multiple Inputs for Single Rule Set (Filtering/dropping in a single location)

We're attempting to apply a single filter "0_MasterFilter.conf" to filter/drop all messages with certain IP's and hostnames coming in on ALL configured listening ports, in a single location, in order to reduce administrative overhead.

We're attempting to use a single ruleset "rsyslog_rules" only. Then have multiple inputs for all of the different listening ports. Will the following work? Or is there a better way?

0_MasterFilter.conf

ruleset (name=rsyslog_rules) {
    if $fromhost starts with 'bilbo' or $fromhost-ip == '0.1.1.1' then { stop }
}

1_Port514.conf

ruleset (name=rsyslog_rules) {
    if $fromhost starts with 'testbox' or $fromhost-ip == '0.2.2.2' then { stop }
    set $!dev='syslog_server'
    set $!loc='net1'
    action (type="omfile" dynafile="514_serverX")
}
input (type="imptcp" port="514" ruleset="rsyslog_rules")
input (type="impudp" port="514" ruleset="rsyslog_rules")

2_Port600.conf

ruleset (name=rsyslog_rules) {
    if $fromhost starts with 'lost' or $fromhost-ip == '0.3.3.3' then { stop }
    set $!dev='dum_machine'
    set $!loc='backroom'
    action (type="omfile" dynafile="600_test")
}
input (type="imptcp" port="600" ruleset="rsyslog_rules")
Solution

  • You cannot define a ruleset more than once, so ruleset(name="rsyslog_rules"){...} can only appear once. Note that the name must be in quotes. Also starts with is one word. Do a syntax check with rsyslogd -N1 -f myconfig.conf.

    If you want to have a set of rules that apply to all inputs, but also have individual rules that only apply to some of the inputs, then you can put all the common rules in one ruleset, and bind a new independent ruleset to each input, but call the common ruleset from these independent rulesets. For example:

    0_MasterFilter.conf

    ruleset (name="rsyslog_rules") {
    if $fromhost starts with 'bilbo' or $fromhost-ip == '0.1.1.1' then { stop }
}

    1_Port514.conf

    ruleset (name="special1") {
    call rsyslog_rules
    if $fromhost starts with 'testbox' or $fromhost-ip == '0.2.2.2' then { stop }
    set $!dev='syslog_server'
    set $!loc='net1'
    action (type="omfile" dynafile="514_serverX")
}
input (type="imptcp" port="514" ruleset="special1")
input (type="impudp" port="514" ruleset="special1")

    The call command can be given anywhere in a ruleset. Note that the name is not put in quotes ("").