filter syslog messages rsyslog ubuntu

Question

Im trying to filter out all syslog messages except those who are defined in my config and then send the message to an external syslog server. I have Ubuntu 16.04 with rsyslog, and I have configured Nextcloud to log to the syslog daemon.

my message(from /var/syslog) I want to allow being sent to the external syslog server:

Jul 11 15:55:28 test-virtual-machine ownCloud[28466]: {files_antivirus} Infected file deleted. Eicar-Test-Signature File: files/eicar(3).com.ocTransferId993388412.part Acccount: admin

I have tried to modify the rsyslog.conf file (rest of the file is default):

nextcloud.*                         -/var/log/nextcloud.log

:msg, contains, "*Infected*" -/var/log/nextcloud3.log

nextcloud.* @remote-host:514

this is not working at all. Anyone have some inputs?

Thanks,

EBo EBo · Accepted Answer · 2019-04-03T18:15:51

I have the following that is currently working...

In /etc/rsyslog.d/60-my-filter.conf

:rawmsg,contains,"TAG" -/var/log/tag.log

My guess from the above, that you need to replace ":msg" with ":rawmsg", but I am no expert. I would also try removing the spaces, or ':rawmsg,contains,"Infected" -/var/log/nextcloud3.log'

Also remove the nextcloud lines until you know you are getting the files formatted/filtered properly, and then try adding it back.

Hope this helps.

filter syslog messages rsyslog ubuntu

1 Answers