RSYSLOG custom config for log filtering

Question

I trying to filter out audispd log from /var/log/messages, audispd by defaults sending it log using "user.info"

My current situation is that /etc/rsyslog.conf is shared within a few set of machine in the network so most of the custom configuration files are done in /etc/rsyslog.d, the problem I'm having that it seem redirecting log does work with custom configuration files, example my if /etc/rsyslog.d/user.conf have this

user.info       /var/auditd/audispd.log
&       ~

It will work just fine, but for filtering such as example below will not take any effect even thought the same syntax will definitely work if I put in the main configuration files which I'm trying to avoid here:

user.!=info     /var/log/messages
&       ~

On side note server is using Rsyslog 5.8.10

PS: Sorry for my bad English as it is not my main language :)

Thanks
Regards
Z

score 0 · Answer 1 · answered Jul 16 '15 at 18:42

0

You have to make sure that you are on 1.8 of audit otherwise this won't work.

add "LOG_LOCAL0" to /etc/audisp/plugins.d/syslog.conf

modify rsyslog.conf and add "local0.none" to your destination (/var/log/messages)

Restart rsyslogd

answered Jul 16 '15 at 18:42

acer123

326
1
15

RSYSLOG custom config for log filtering

1 Answers1