global(
workDirectory="/var/spool/rsyslog"
)
# Load the imfile module to read logs from a file
module(load="imtcp" MaxSessions="500")
input(type="imtcp" port="514")
template(name="probe-request" type="list" option.jsonf="on") {
property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
property(outname="host" name="hostname" format="jsonf")
property(outname="sourceaddress" name="msg" regex.type="ERE" regex.submatch="1" regex.expression="SA:([^[:space:]]*)" regex.nomatchmode="BLANK" format="jsonf")
property(outname="signal" name="msg" field.number="10" field.delimiter="32" format="jsonf" onEmpty="null")
property(outname="wifi" name="msg" regex.type="ERE" regex.submatch="1" regex.expression="Probe Request \\((.*?)\\)" regex.nomatchmode="BLANK" format="jsonf")
}
template(name="roamed" type="list" option.jsonf="on") {
property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
property(outname="host" name="hostname" format="jsonf")
property(outname="sourceaddress" name="msg" field.number="18" field.delimiter="32" format="jsonf" onEmpty="null")
property(outname="signal" name="msg" field.number="10" field.delimiter="32" format="jsonf" onEmpty="null")
property(outname="wifi" name="msg" field.number="21" field.delimiter="32" format="jsonf")
}
# Send logs with the specified tag to the console
if $msg contains 'Probe Request (' then {
action(type="omfile" file="/var/log/syslogs/unifi-probe.log" template="probe-request")
}
if $msg contains 'roamed' then {
action(type="omfile" file="/var/log/syslogs/unifi-roamed.log" template="roamed")
}
lunes, 18 de noviembre de 2024
rsyslog
Suscribirse a:
Enviar comentarios (Atom)
No hay comentarios:
Publicar un comentario