Syslog解析格式错误的日志

问题描述 投票:0回答:1

我有这种日志

May 13 17:39:34 192.168.x.254  2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.249:2050 (gi1/0/2 68:05:ca:10:14:87) -> 192.168.x.255:2050 dscp 0, 1 packets
May 13 17:39:34 192.168.x.254  2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.244:5678 (gi1/0/2 d4:ca:6d:da:2e:bb) -> 255.255.255.255:5678 dscp 0, 5 packets

它通过系统日志从路由器获取到我的Debian服务器

在服务器上的rsyslog配置中,我添加了行:

template (name="bsdlogformat" type="string" string="%hostname%  %timereported%  %syslogtag%%msg%\n")
template (name="fileformat" type="string" string="/var/log/rsyslogs/%HOSTNAME%-%syslogtag%.log")

:hostname, isequal, "192.168.x.254" ?fileformat;bsdlogformat

一切正常,除了像这样的文件名读取器:

192.168.x.254-.log

结果是:

192.168.x.254  May 13 17:39:34   2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.249:2050 (gi1/0/2 68:05:ca:10:14:87) -> 192.168.x.255:2050 dscp 0, 1 packets
192.168.x.254  May 13 17:39:34   2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.244:5678 (gi1/0/2 d4:ca:6d:da:2e:bb) -> 255.255.255.255:5678 dscp 0, 5 packets

因此它没有检测到%syslogtag%

这里的主要问题是字符串

2020-05-13T17:50:47 + 00:00

我找不到强制syslod thisks为日期的方法。

现在我可以解决它?

logging debian syslog rsyslog
1个回答
0
投票

我找到了解决方案,它实际上很简单:

template(name="bsdlogformat" type="list") {
    property(name="fromhost-ip")
    constant(value=" ")
    property(name="msg")
    constant(value="\n")
}

template (name="fileformat" type="string" string="/var/log/rsyslogs/%HOSTNAME%-main.log")
template (name="firewallfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-firewall.log")
template (name="authfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-auth.log")
template (name="sshfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-ssh.log")

if ($fromhost-ip == "192.168.0.254") then {
    if ($msg contains "FIREWALL-I-LOG")  then {
        action(type="omfile" dynaFile="firewallfile" Template="bsdlogformat")
    } else  if ($msg contains "AAA-LOCAL-N-AUTH")  then {
        action(type="omfile" dynaFile="authfile" Template="bsdlogformat")
    } else  if ($msg contains "AAA-LOCAL-W-AUTH")  then {
        action(type="omfile" dynaFile="authfile" Template="bsdlogformat")
    } else  if ($msg contains "AAA-E-SSH")  then {
        action(type="omfile" dynaFile="sshfile" Template="bsdlogformat")
    } else  if ($msg contains "AAA-I-SSH")  then {
        action(type="omfile" dynaFile="sshfile" Template="bsdlogformat")
    } else {
        action(type="omfile" dynaFile="fileformat" Template="bsdlogformat")
    } 
    stop

}

它只检查$ msg并基于包含前缀的文件中的包含字符串放置日志。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.