Hi,
I've got an issue by suppressing syslog messages upon content. Even by stating the following rule in config.php
$config['syslog']['filter'][] = 'action=pass';
I still see messages with the intended phrase inside:
id=firewall time="2018-07-25 12:36:32" fw="xxxxxxxxxx" tz=+0200 startime="2018-07-25 12:36:31" pri=4 confid=01 slotlevel=2 ruleid=53 srcif="Ethernet3" srcifname="prod" ipproto=tcp dstif="Ethernet0" dstifname="wan1" proto=ssl src=xxxxxxxxxxx srcport=32827 srcportname=ephemeral_fw_tcp srcname=xxxxxxxxxxxx srcmac=xxxxxxxxxxxxxx dst=xxxxxxxx dstport=443 dstportname=https dstname=xxxxxxxxxxxxxxxxxxxx dstcontinent="eu" dstcountry="ie" modsrc=xxxxxxxxxxxx modsrcport=32827 ipv=4 action=pass msg="Early ChangeCipherSpec" class=protocol classification=0 alarmid=312 target=dst logtype="alarm"
This doesn't apply to every message containing the specified string, only to a few of them. Perhaps a message length issue?
Best Luca
Hi,
if you set this config option in config.php (manually), than need restart rsyslog daemon.
For auto-apply this options, use from WUI: Global Setting Edit -> Syslog -> filters (Actually in latest Pro)
Luca Sasdelli wrote:
Hi,
I've got an issue by suppressing syslog messages upon content. Even by stating the following rule in config.php
$config['syslog']['filter'][] = 'action=pass';
I still see messages with the intended phrase inside:
id=firewall time="2018-07-25 12:36:32" fw="xxxxxxxxxx" tz=+0200 startime="2018-07-25 12:36:31" pri=4 confid=01 slotlevel=2 ruleid=53 srcif="Ethernet3" srcifname="prod" ipproto=tcp dstif="Ethernet0" dstifname="wan1" proto=ssl src=xxxxxxxxxxx srcport=32827 srcportname=ephemeral_fw_tcp srcname=xxxxxxxxxxxx srcmac=xxxxxxxxxxxxxx dst=xxxxxxxx dstport=443 dstportname=https dstname=xxxxxxxxxxxxxxxxxxxx dstcontinent="eu" dstcountry="ie" modsrc=xxxxxxxxxxxx modsrcport=32827 ipv=4 action=pass msg="Early ChangeCipherSpec" class=protocol classification=0 alarmid=312 target=dst logtype="alarm"
This doesn't apply to every message containing the specified string, only to a few of them. Perhaps a message length issue?
Best Luca
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Ok thanks! Luca
-----Original Message----- From: observium observium-bounces@observium.org On Behalf Of Mike Stupalov Sent: Wednesday, July 25, 2018 2:47 PM To: Observium observium@observium.org Subject: Re: [Observium] Syslog suppress
Hi,
if you set this config option in config.php (manually), than need restart rsyslog daemon.
For auto-apply this options, use from WUI: Global Setting Edit -> Syslog -> filters (Actually in latest Pro)
Luca Sasdelli wrote:
Hi,
I've got an issue by suppressing syslog messages upon content. Even by stating the following rule in config.php
$config['syslog']['filter'][] = 'action=pass';
I still see messages with the intended phrase inside:
id=firewall time="2018-07-25 12:36:32" fw="xxxxxxxxxx" tz=+0200 startime="2018-07-25 12:36:31" pri=4 confid=01 slotlevel=2 ruleid=53 srcif="Ethernet3" srcifname="prod" ipproto=tcp dstif="Ethernet0" dstifname="wan1" proto=ssl src=xxxxxxxxxxx srcport=32827 srcportname=ephemeral_fw_tcp srcname=xxxxxxxxxxxx srcmac=xxxxxxxxxxxxxx dst=xxxxxxxx dstport=443 dstportname=https dstname=xxxxxxxxxxxxxxxxxxxx dstcontinent="eu" dstcountry="ie" modsrc=xxxxxxxxxxxx modsrcport=32827 ipv=4 action=pass msg="Early ChangeCipherSpec" class=protocol classification=0 alarmid=312 target=dst logtype="alarm"
This doesn't apply to every message containing the specified string, only to a few of them. Perhaps a message length issue?
Best Luca
observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
-- Mike Stupalov Observium Limited, http://observium.org _______________________________________________ observium mailing list observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
participants (2)
-
Luca Sasdelli -
Mike Stupalov