The post explains how to configure rsyslog to filter messages with a specific IP address and drop those messages. By default, syslog doesn’t consist of any advance filtering like rsyslog. Follow below steps to configure rsyslog to filter messages with specific IP address.
1. Install rsyslog if it is not already present on the system. For Redhat Based distributions:
# yum install rsyslog
2. Use chkconfig/systemctl commands to enable rsyslog service on boot. Also start the service.
# chkconfig rsyslog on ### CentOS/RHEL 6 # systemctl enable rsyslog ### CentOS/RHEL 7
# service rsyslog start ### CentOS/RHEL 6 # systemctl start rsyslog ### CentOS/RHEL 7
3. In order to discard all the messages related to the IP address xx.xx.xx.xx, please edit /etc/rsyslog.conf and add the below discard filter on the top and not at the bottom of the file.
# vi /etc/rsyslog.conf :msg, contains, "xx.xx.xx.xx " ~
4. Restart rsyslog service
# service rsyslog restart
Verify
You can verify the settings done above, using the logger command. Logger command is used to generate syslog messages manually on command line. Use the below command to generate a syslog message containing the IP address we want.
# logger xx.xx.xx.xx
Verify in the /var/log/messages file that the above message is not logged. Also, verify using a different IP address to verify that other messages containing a different IP address are not getting discarded.
Applying filter on a specific program/command
The filter can also be applied to a specific program such as vsftpd along with the specific IP. Use below discard filter to discard logs for xx.xx.xx.xx IP and for the vsftpd command as well.
# vi /etc/rsyslog.conf if $programname == 'vsftpd' and ($msg contains 'xx.xx.xx.xx' or $msg contains 'xx.xx.xx.xx') then ~