This has been addressed in other post(s), but I still can't get this to work properly.
I am trying to OMIT (discard) certain entries from being written to my " /var/log/secure ".
Namely, any line that contains certain trusted IP Addresses, in this example " IP = 10.10.10.10 ".
From what I understand, using a REGEX expression like this should do the trick, but I think I have an issue with placement in the file:
if $syslogfacility-text == 'authpriv' and $msg !contains '10.10.10.10' then /var/log/secure
&~
Here's what I've tried so far in my /etc/rsyslog.conf file:
#rsyslog v3 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#### RULES ####
if $syslogfacility-text == 'authpriv' and $msg !contains '10.10.10.10' then /var/log/secure
&~
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
Another slight variation to the rsyslog.conf file would be as follows, as I've read the order in which this rule appears makes a difference:
#rsyslog v3 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#### RULES ####
if $syslogfacility-text == 'authpriv' and $msg !contains '10.10.10.10' then /var/log/secure
&~
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
if $syslogfacility-text == 'authpriv' and $msg !contains '10.10.10.10' then /var/log/secure
&~
I have tried many other ways, but do not want to pollute this post with too many variations.
Another important point, is that I need to make sure that OTHER log files via rsyslog throughout the system STILL track this IP Address however.
So essentially, just OMIT any line that contains "10.10.10.10" from the " /var/log/secure "
