Syslog 解析错误格式的日志
Syslog parse misformated logs
我有这种日志
May 13 17:39:34 192.168.x.254 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.249:2050 (gi1/0/2 68:05:ca:10:14:87) -> 192.168.x.255:2050 dscp 0, 1 packets
May 13 17:39:34 192.168.x.254 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.244:5678 (gi1/0/2 d4:ca:6d:da:2e:bb) -> 255.255.255.255:5678 dscp 0, 5 packets
它通过系统日志从路由器获取到我的 debian 服务器
在服务器上的 rsyslog 配置中,我添加了以下行:
template (name="bsdlogformat" type="string" string="%hostname% %timereported% %syslogtag%%msg%\n")
template (name="fileformat" type="string" string="/var/log/rsyslogs/%HOSTNAME%-%syslogtag%.log")
:hostname, isequal, "192.168.x.254" ?fileformat;bsdlogformat
一切正常,除了像这样的文件名创建器:
192.168.x.254-.log
结果是:
192.168.x.254 May 13 17:39:34 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.249:2050 (gi1/0/2 68:05:ca:10:14:87) -> 192.168.x.255:2050 dscp 0, 1 packets
192.168.x.254 May 13 17:39:34 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.244:5678 (gi1/0/2 d4:ca:6d:da:2e:bb) -> 255.255.255.255:5678 dscp 0, 5 packets
所以它没有检测到 %syslogtag%
这里的主要问题字符串
2020-05-13T17:50:47+00:00
我找不到强制 syslod 认为这是一个日期的方法。
我能修好吗?
我找到了解决办法,其实很简单:
template(name="bsdlogformat" type="list") {
property(name="fromhost-ip")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
template (name="fileformat" type="string" string="/var/log/rsyslogs/%HOSTNAME%-main.log")
template (name="firewallfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-firewall.log")
template (name="authfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-auth.log")
template (name="sshfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-ssh.log")
if ($fromhost-ip == "192.168.0.254") then {
if ($msg contains "FIREWALL-I-LOG") then {
action(type="omfile" dynaFile="firewallfile" Template="bsdlogformat")
} else if ($msg contains "AAA-LOCAL-N-AUTH") then {
action(type="omfile" dynaFile="authfile" Template="bsdlogformat")
} else if ($msg contains "AAA-LOCAL-W-AUTH") then {
action(type="omfile" dynaFile="authfile" Template="bsdlogformat")
} else if ($msg contains "AAA-E-SSH") then {
action(type="omfile" dynaFile="sshfile" Template="bsdlogformat")
} else if ($msg contains "AAA-I-SSH") then {
action(type="omfile" dynaFile="sshfile" Template="bsdlogformat")
} else {
action(type="omfile" dynaFile="fileformat" Template="bsdlogformat")
}
stop
}
它只检查 $msg 并基于包含字符串将日志放入带有前缀的文件中。
我有这种日志
May 13 17:39:34 192.168.x.254 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.249:2050 (gi1/0/2 68:05:ca:10:14:87) -> 192.168.x.255:2050 dscp 0, 1 packets
May 13 17:39:34 192.168.x.254 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.244:5678 (gi1/0/2 d4:ca:6d:da:2e:bb) -> 255.255.255.255:5678 dscp 0, 5 packets
它通过系统日志从路由器获取到我的 debian 服务器
在服务器上的 rsyslog 配置中,我添加了以下行:
template (name="bsdlogformat" type="string" string="%hostname% %timereported% %syslogtag%%msg%\n")
template (name="fileformat" type="string" string="/var/log/rsyslogs/%HOSTNAME%-%syslogtag%.log")
:hostname, isequal, "192.168.x.254" ?fileformat;bsdlogformat
一切正常,除了像这样的文件名创建器:
192.168.x.254-.log
结果是:
192.168.x.254 May 13 17:39:34 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.249:2050 (gi1/0/2 68:05:ca:10:14:87) -> 192.168.x.255:2050 dscp 0, 1 packets
192.168.x.254 May 13 17:39:34 2020-05-13T17:50:47+00:00 %FIREWALL-I-LOG: zone-pair 'WAN self' rule 10000 denied udp 192.168.x.244:5678 (gi1/0/2 d4:ca:6d:da:2e:bb) -> 255.255.255.255:5678 dscp 0, 5 packets
所以它没有检测到 %syslogtag%
这里的主要问题字符串
2020-05-13T17:50:47+00:00
我找不到强制 syslod 认为这是一个日期的方法。
我能修好吗?
我找到了解决办法,其实很简单:
template(name="bsdlogformat" type="list") {
property(name="fromhost-ip")
constant(value=" ")
property(name="msg")
constant(value="\n")
}
template (name="fileformat" type="string" string="/var/log/rsyslogs/%HOSTNAME%-main.log")
template (name="firewallfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-firewall.log")
template (name="authfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-auth.log")
template (name="sshfile" type="string" string="/var/log/rsyslogs/%HOSTNAME%-ssh.log")
if ($fromhost-ip == "192.168.0.254") then {
if ($msg contains "FIREWALL-I-LOG") then {
action(type="omfile" dynaFile="firewallfile" Template="bsdlogformat")
} else if ($msg contains "AAA-LOCAL-N-AUTH") then {
action(type="omfile" dynaFile="authfile" Template="bsdlogformat")
} else if ($msg contains "AAA-LOCAL-W-AUTH") then {
action(type="omfile" dynaFile="authfile" Template="bsdlogformat")
} else if ($msg contains "AAA-E-SSH") then {
action(type="omfile" dynaFile="sshfile" Template="bsdlogformat")
} else if ($msg contains "AAA-I-SSH") then {
action(type="omfile" dynaFile="sshfile" Template="bsdlogformat")
} else {
action(type="omfile" dynaFile="fileformat" Template="bsdlogformat")
}
stop
}
它只检查 $msg 并基于包含字符串将日志放入带有前缀的文件中。