Skip to main content

How to chain filters with rsyslog 5.8 [Resolved]

I'm attempting to create an rsyslogd filter that forwards syslog messages from a remote host that are above a certain severity level. I'm able to do it on a different server that has rsyslogd v8.24. But I'm stuck trying to do it with the old rsyslogd v5.8 syntax.

The only filter I've had success with is app-name and currently my rules are:

:app-name, isequal, "app1" @192.168.100.200:514 
:app-name, isequal, "app2" @192.168.100.200:514 

How can I add a severity level filter so that only messages that match the app names AND are above a certain level get forwarded?

With rsyslogd v8.24 my filter is as below. It would be even better if there was a way to replicate that in v5.8.

if $fromhost-ip == "192.168.0.50" and $syslogseverity <= 4 then @192.168.200.200:514

Question Credit: sipwiz
Question Reference
Asked July 21, 2019
Tags: rsyslog
Posted Under: Network
23 views
1 Answers

I download and built the 5.8 sources, and did some testing, and to cut a long story short, all you need to do is change from using double-quotes to single-quotes for your string constants in RainerScript. I.e. try

if $fromhost-ip=='192.168.0.50' and $syslogseverity<=4 then ...

For other readers who may need to do a similar build, I downloaded the 5.8 sources and configured them with debug and imfile (to use for input):

./configure --enable-debug --enable-diagtools --enable-imfile
make

Since I didn't want to install the files to /usr/local, I set DESTDIR to create an installation tree under the build directory.

make install DESTDIR=$PWD/x

The rsyslogd binary is then in x/usr/local/sbin/. The arguments to use for a standalone test config need -u2 to not do a chdir("/"), and -c5 forces the parsing to stay in version 5 syntax, so run with:

rsyslogd -c5 -u2 -i /tmp/pidfile -f my.conf

to which you need to add -M$PWD/x/usr/local/lib/ to find the modules. You can do a config file syntax check with -N1, and run with debug with -dn.


credit: meuh
Answered July 21, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA