rsyslog.conf 中的 authpriv 设施上的 rsyslog 过滤器

tag-icon tag-icon log-files syslog rsyslog filter syntax
rsyslog.conf 中的 authpriv 设施上的 rsyslog 过滤器

其他帖子中已经解决了这个问题,但我仍然无法让它正常工作。

我正在尝试省略(丢弃)某些写入“ /var/log/secure”的条目。

即,任何包含某些可信 IP 地址的行,在此示例中为“ IP = 10.10.10.10”。

据我所知,使用像这样的 REGEX 表达式应该可以解决问题,但我认为我在文件中的位置存在问题: 

if $syslogfacility-text == 'authpriv' and $msg !contains '10.10.10.10' then /var/log/secure
    &~



这是我目前在/etc/rsyslog.conf文件中尝试过的内容:
#rsyslog v3 配置文件

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

#### MODULES ####

$ModLoad imuxsock.so    # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so  # provides kernel logging support (previously done by rklogd)

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#### RULES ####

if $syslogfacility-text == 'authpriv' and $msg !contains '10.10.10.10' then /var/log/secure
&~

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none           /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                             /var/log/secure



rsyslog.conf 文件的另一个细微变化如下,据我所知,此规则出现的顺序有所不同: 

#rsyslog v3 config file

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

#### MODULES ####

$ModLoad imuxsock.so    # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so  # provides kernel logging support (previously done by rklogd)

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#### RULES ####

if $syslogfacility-text == 'authpriv' and $msg !contains '10.10.10.10' then /var/log/secure
&~

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none           /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                             /var/log/secure
if $syslogfacility-text == 'authpriv' and $msg !contains '10.10.10.10' then /var/log/secure
&~

我尝试过很多其他方法,但不想用太多的变化来污染这篇文章。

另一个重点是,我需要确保rsyslog整个系统的其他日志文件仍然可以跟踪这个 IP 地址。

10.10.10.10因此,本质上,只需从“ /var/log/secure”中删除包含“”的任何行

相关内容