• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Configure rsyslog to Filter/discard Specific IP Address in CentOS/RHEL 6,7

By admin

The post explains how to configure rsyslog to filter messages with a specific IP address and drop those messages. By default, syslog doesn’t consist of any advance filtering like rsyslog. Follow below steps to configure rsyslog to filter messages with specific IP address.

1. Install rsyslog if it is not already present on the system. For Redhat Based distributions:

# yum install rsyslog

2. Use chkconfig/systemctl commands to enable rsyslog service on boot. Also start the service.

# chkconfig rsyslog on             ### CentOS/RHEL 6
# systemctl enable rsyslog         ### CentOS/RHEL 7
# service rsyslog start        ### CentOS/RHEL 6
# systemctl start rsyslog      ### CentOS/RHEL 7

3. In order to discard all the messages related to the IP address xx.xx.xx.xx, please edit /etc/rsyslog.conf and add the below discard filter on the top and not at the bottom of the file.

# vi /etc/rsyslog.conf
:msg, contains, "xx.xx.xx.xx "   ~

4. Restart rsyslog service

# service rsyslog restart

Verify

You can verify the settings done above, using the logger command. Logger command is used to generate syslog messages manually on command line. Use the below command to generate a syslog message containing the IP address we want.

# logger xx.xx.xx.xx

Verify in the /var/log/messages file that the above message is not logged. Also, verify using a different IP address to verify that other messages containing a different IP address are not getting discarded.

Applying filter on a specific program/command

The filter can also be applied to a specific program such as vsftpd along with the specific IP. Use below discard filter to discard logs for xx.xx.xx.xx IP and for the vsftpd command as well.

# vi /etc/rsyslog.conf
if $programname == 'vsftpd' and ($msg contains 'xx.xx.xx.xx' or $msg contains 'xx.xx.xx.xx') then  ~

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. How to Enable Verbose Logging for VSFTPD
  2. How to find and delete files older than some particular time period in Linux
  3. CentOS / RHEL 7 : How to set default target (default runlevel)
  4. How to use “btrfs scrub” command to manage scrubbing on Btrfs file systems
  5. CentOS / RHEL 7 : How to setup yum repository using locally mounted DVD
  6. How to Reinstall Corrupted Library with yum
  7. How to Create a GFS2 Formatted Cluster File System
  8. Comparing NET-TOOLS V/s IPROUTE Package Commands (ip Vs ifconfig command comparison)
  9. RHEL / CentOS : How to shrink LVM volume
  10. Auditd Messages Are Filling Up /var/log/messages

You May Also Like

Primary Sidebar

Recent Posts

  • How to Disable IPv6 on Ubuntu 18.04 Bionic Beaver Linux
  • How to Capture More Logs in /var/log/dmesg for CentOS/RHEL
  • Unable to Start RDMA Services on CentOS/RHEL 7
  • How to rename a KVM VM with virsh
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary