Filtering in rsyslog


If you have been managing Splunk for some time, you might have come across situations where you want to filter away unnecessary data from being ingested.

The two most common ways of doing this in Splunk is to filter out data by “blacklisting” at the input stage or to “nullQueue” at the index stage.
Both of these ways of filtering has the benefit that the data will not be forwarded, and does not count against your Splunk license.

If you use rsyslog as a syslog collector in front of your Splunk indexers, I will show you a way to filter out data in rsyslog, to avoid spending valuable indexer or forwarder resources.

The first thing you should do is to define a template, aptly named “template_nullQueue”:

$template template_nullqueue,"/dev/null"

For testing purposes you may of course also make the data be routed to another destination than /dev/null.

Next, you should define a new ruleset for this template:

ruleset(name="ruleset_nullqueue") {
  action(type="omfile" dynafile="template_nullqueue" )
}
[...]
ruleset(name="ruleset_10601") {
  if($msg contains 'Teardown ICMP connection for faddr') then     {
  call ruleset_nullqueue
stop

}

action(type="omfile" dynafile="template_10601" dirCreateMode="0750" FileCreateMode="0640" fileOwner="splunk" fileGroup="adm" dirOwner="splunk" dirGroup="adm")

}

ruleset(name="ruleset_10602") {

action(type="omfile" dynafile="template_10601" dirCreateMode="0750" FileCreateMode="0640" fileOwner="splunk" fileGroup="adm" dirOwner="splunk" dirGroup="adm")

}

[...]

Finally, the business end. You may now drop an if-statement in any existing ruleset definition.
Note that the if-statement needs to be above the action-statement

The following example shows how any syslog message containing the string “Teardown ICMP connection for faddr”, the message will be directly sent to /dev/null.

,

Leave a Reply

Your email address will not be published.