英文:
Multiple Inputs for Single Rule Set (Filtering/dropping in a single location)
问题
我们正在尝试将单个过滤器 "0_MasterFilter.conf" 应用于所有已配置的监听端口上进入的具有特定IP和主机名的所有消息,以减少管理开销。
我们试图仅使用一个规则集 "rsyslog_rules"。然后为所有不同的监听端口设置多个输入。以下内容是否有效?还是有更好的方法?
0_MasterFilter.conf
if $fromhost starts with 'bilbo' or $fromhost-ip == '0.1.1.1' then { stop }
}
1_Port514.conf
if $fromhost starts with 'testbox' or $fromhost-ip == '0.2.2.2' then { stop }
set $!dev='syslog_server'
set $!loc='net1'
action (type="omfile" dynafile="514_serverX")
}
input (type="imptcp" port="514" ruleset="rsyslog_rules")
input (type="impudp" port="514" ruleset="rsyslog_rules")
2_Port600.conf
if $fromhost starts with 'lost' or $fromhost-ip == '0.3.3.3' then { stop }
set $!dev='dum_machine'
set $!loc='backroom'
action (type="omfile" dynafile="600_test")
}
input (type="imptcp" port="600" ruleset="rsyslog_rules")
英文:
We're attempting to apply a single filter "0_MasterFilter.conf" to filter/drop all messages with certain IP's and hostnames coming in on ALL configured listening ports, in a single location, in order to reduce administrative overhead.
We're attempting to use a single ruleset "rsyslog_rules" only. Then have multiple inputs for all of the different listening ports. Will the following work? Or is there a better way?
0_MasterFilter.conf
ruleset (name=rsyslog_rules) {
if $fromhost starts with 'bilbo' or $fromhost-ip == '0.1.1.1' then { stop }
}
1_Port514.conf
ruleset (name=rsyslog_rules) {
if $fromhost starts with 'testbox' or $fromhost-ip == '0.2.2.2' then { stop }
set $!dev='syslog_server'
set $!loc='net1'
action (type="omfile" dynafile="514_serverX")
}
input (type="imptcp" port="514" ruleset="rsyslog_rules")
input (type="impudp" port="514" ruleset="rsyslog_rules")
2_Port600.conf
ruleset (name=rsyslog_rules) {
if $fromhost starts with 'lost' or $fromhost-ip == '0.3.3.3' then { stop }
set $!dev='dum_machine'
set $!loc='backroom'
action (type="omfile" dynafile="600_test")
}
input (type="imptcp" port="600" ruleset="rsyslog_rules")
答案1
得分: 0
以下是翻译好的内容:
你不能多次定义一个规则集,所以 ruleset(name="rsyslog_rules"){...} 只能出现一次。注意名称必须用引号括起来。另外,starts with 是一个词。可以使用 rsyslogd -N1 -f myconfig.conf 进行语法检查。
如果你想要有一组适用于所有输入的规则,但也有一些只适用于某些输入的个别规则,那么你可以将所有共同的规则放在一个规则集中,并将一个新的独立规则集绑定到每个输入,但从这些独立规则集中调用共同的规则集。例如:
0_MasterFilter.conf
ruleset (name="rsyslog_rules") {
if $fromhost starts with 'bilbo' or $fromhost-ip == '0.1.1.1' then { stop }
}
1_Port514.conf
ruleset (name="special1") {
call rsyslog_rules
if $fromhost starts with 'testbox' or $fromhost-ip == '0.2.2.2' then { stop }
set $!dev='syslog_server'
set $!loc='net1'
action (type="omfile" dynafile="514_serverX")
}
input (type="imptcp" port="514" ruleset="special1")
input (type="impudp" port="514" ruleset="special1")
call 命令可以在规则集中的任何地方使用。请注意,名称不需要放在引号中。
英文:
You cannot define a ruleset more than once, so ruleset(name="rsyslog_rules"){...} can only appear once. Note that the name must be in quotes. Also starts with is one word. Do a syntax check with rsyslogd -N1 -f myconfig.conf.
If you want to have a set of rules that apply to all inputs, but also have
individual rules that only apply to some of the inputs, then you can put
all the common rules in one ruleset, and bind a new independent ruleset to
each input, but call the common ruleset from these independent rulesets.
For example:
0_MasterFilter.conf
ruleset (name="rsyslog_rules") {
if $fromhost starts with 'bilbo' or $fromhost-ip == '0.1.1.1' then { stop }
}
1_Port514.conf
ruleset (name="special1") {
call rsyslog_rules
if $fromhost starts with 'testbox' or $fromhost-ip == '0.2.2.2' then { stop }
set $!dev='syslog_server'
set $!loc='net1'
action (type="omfile" dynafile="514_serverX")
}
input (type="imptcp" port="514" ruleset="special1")
input (type="impudp" port="514" ruleset="special1")
The call command can be given anywhere in a ruleset. Note that the name
is not put in quotes ("").
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论