我有这种日志
May 13 17:39:34 192.168.x.254 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.249:2050 (gi1/0/2 68:05:ca:10:14:87) -> 192.168.x.255:2050 dscp 0, 1 packets
May 13 17:39:34 192.168.x.254 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.244:5678 (gi1/0/2 d4:ca:6d:da:2e:bb) -> 255.255.255.255:5678 dscp 0, 5 packets
它通过系统日志从路由器获取到我的Debian服务器
在服务器上的rsyslog配置中,我添加了行:
template (name="bsdlogformat" type="string" string="%hostname% %timereported% %syslogtag%%msg%\n")
template (name="fileformat" type="string" string="/var/log/rsyslogs/%HOSTNAME%-%syslogtag%.log")
:hostname, isequal, "192.168.x.254" ?fileformat;bsdlogformat
一切正常,除了像这样的文件名读取器:
192.168.x.254-.log
结果是:
192.168.x.254 May 13 17:39:34 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.249:2050 (gi1/0/2 68:05:ca:10:14:87) -> 192.168.x.255:2050 dscp 0, 1 packets
192.168.x.254 May 13 17:39:34 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.244:5678 (gi1/0/2 d4:ca:6d:da:2e:bb) -> 255.255.255.255:5678 dscp 0, 5 packets
因此它没有检测到%syslogtag%
这里的主要问题是字符串
2020-05-13T17:50:47 + 00:00
我找不到强制syslod thisks为日期的方法。
现在我可以解决它?
我找到了解决方案,它实际上很简单:
template(name="bsdlogformat" type="list") {
property(name="fromhost-ip")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
template (name="fileformat" type="string" string="/var/log/rsyslogs/%HOSTNAME%-main.log")
template (name="firewallfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-firewall.log")
template (name="authfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-auth.log")
template (name="sshfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-ssh.log")
if ($fromhost-ip == "192.168.0.254") then {
if ($msg contains "FIREWALL-I-LOG") then {
action(type="omfile" dynaFile="firewallfile" Template="bsdlogformat")
} else if ($msg contains "AAA-LOCAL-N-AUTH") then {
action(type="omfile" dynaFile="authfile" Template="bsdlogformat")
} else if ($msg contains "AAA-LOCAL-W-AUTH") then {
action(type="omfile" dynaFile="authfile" Template="bsdlogformat")
} else if ($msg contains "AAA-E-SSH") then {
action(type="omfile" dynaFile="sshfile" Template="bsdlogformat")
} else if ($msg contains "AAA-I-SSH") then {
action(type="omfile" dynaFile="sshfile" Template="bsdlogformat")
} else {
action(type="omfile" dynaFile="fileformat" Template="bsdlogformat")
}
stop
}
它只检查$ msg并基于包含前缀的文件中的包含字符串放置日志。