Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RSyslog: users

question on filtering

  

 
RSyslog users RSS feed   Index | Next | Previous | View Threaded


larry.erdahl at usbank

May 7, 2012, 12:47 PM

Post #1 of 2 (190 views)
Permalink
question on filtering
Greetings,

I'm new to rsyslog and have very limited understanding knowledge on the
subject, I've googled and read all of the online documentation that I
could find, however I'm still struggling to find out if I can filter to
exclude messages. I have a lot of auditd events that I don't need to send
to my centralized collection server, such as the one below.

type=SYSCALL msg=audit(1336411413.690:393395): arch=40000003 syscall=10
per=400000 success=yes exit=0 a0=89054c5 a1=0 a2=b7f6ddcc a3=64 items=2
ppid=20173 pid=20174 auid=100033 uid=0 gid=0 euid=2 suid=0 fsuid=2 egid=2
sgid=0 fsgid=2 tty=(none) ses=2648 comm="vasd" exe="/opt/quest/sbin/vasd"
key="delete"

Is there a way to filter these messages out, so that they're not sent to a
syslog server or saved in the /var/log/audit log?

Are there any good books on rsyslog that would be a good reference for a
newbie?

Any help or direction would be appreciated !

Thanks..

Larry E. Erdahl
Information Security Services
Information Security Monitoring Group
1 Meridian Crossing
Richfield, MN 55423
Mail Code: EP-MN-MS6I
Office Phone: (612)973-7153
Cell Phone (612)964-7379
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.



---------------------------------------------------------------------

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards


jrhett at netconsonance

May 7, 2012, 1:36 PM

Post #2 of 2 (187 views)
Permalink
Re: question on filtering [In reply to]
Use a drop action. Look at the action queues.

On May 7, 2012, at 12:47 PM, larry.erdahl [at] usbank wrote:
> I'm new to rsyslog and have very limited understanding knowledge on the
> subject, I've googled and read all of the online documentation that I
> could find, however I'm still struggling to find out if I can filter to
> exclude messages. I have a lot of auditd events that I don't need to send
> to my centralized collection server, such as the one below.
>
> type=SYSCALL msg=audit(1336411413.690:393395): arch=40000003 syscall=10
> per=400000 success=yes exit=0 a0=89054c5 a1=0 a2=b7f6ddcc a3=64 items=2
> ppid=20173 pid=20174 auid=100033 uid=0 gid=0 euid=2 suid=0 fsuid=2 egid=2
> sgid=0 fsgid=2 tty=(none) ses=2648 comm="vasd" exe="/opt/quest/sbin/vasd"
> key="delete"
>
> Is there a way to filter these messages out, so that they're not sent to a
> syslog server or saved in the /var/log/audit log?
>
> Are there any good books on rsyslog that would be a good reference for a
> newbie?
>
> Any help or direction would be appreciated !
>
> Thanks..
>
> Larry E. Erdahl
> Information Security Services
> Information Security Monitoring Group
> 1 Meridian Crossing
> Richfield, MN 55423
> Mail Code: EP-MN-MS6I
> Office Phone: (612)973-7153
> Cell Phone (612)964-7379
> U.S. BANCORP made the following annotations
> ---------------------------------------------------------------------
> Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.
>
>
>
> ---------------------------------------------------------------------
>
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards

--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

RSyslog users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.