lunes, 18 de noviembre de 2024

rsyslog

 global(
  workDirectory="/var/spool/rsyslog"
)

# Load the imfile module to read logs from a file
module(load="imtcp" MaxSessions="500")
input(type="imtcp" port="514")

template(name="probe-request" type="list" option.jsonf="on") {
         property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
         property(outname="host" name="hostname" format="jsonf")
         property(outname="sourceaddress" name="msg" regex.type="ERE" regex.submatch="1" regex.expression="SA:([^[:space:]]*)" regex.nomatchmode="BLANK" format="jsonf")
         property(outname="signal" name="msg" field.number="10" field.delimiter="32" format="jsonf" onEmpty="null")
         property(outname="wifi" name="msg" regex.type="ERE" regex.submatch="1" regex.expression="Probe Request \\((.*?)\\)" regex.nomatchmode="BLANK" format="jsonf")
}

template(name="roamed" type="list" option.jsonf="on") {
         property(outname="@timestamp" name="timereported" dateFormat="rfc3339" format="jsonf")
         property(outname="host" name="hostname" format="jsonf")
         property(outname="sourceaddress" name="msg" field.number="18" field.delimiter="32" format="jsonf" onEmpty="null")
         property(outname="signal" name="msg" field.number="10" field.delimiter="32" format="jsonf" onEmpty="null")
         property(outname="wifi" name="msg" field.number="21" field.delimiter="32" format="jsonf")
}


# Send logs with the specified tag to the console
if $msg contains 'Probe Request (' then {
        action(type="omfile" file="/var/log/syslogs/unifi-probe.log" template="probe-request")
}

if $msg contains 'roamed' then {
        action(type="omfile" file="/var/log/syslogs/unifi-roamed.log" template="roamed")
}

No hay comentarios:

Publicar un comentario