<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Sorry to be gone. It's been a hell of a few days. What you wrote
looks promising. Where can I find more about the sudo-parser and
such? That way if the config doesn't work I have an idea of how to
tweak it.<br>
</p>
<div class="moz-cite-prefix">On 2/3/2021 10:22 PM, Balazs Scheidler
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAKcfE+Y9-HsdEzb=+PEUV-6ihVvaiK73ZFPwFCz01CRdu7Tk+w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">
<div dir="auto">Untested config:</div>
<div dir="auto"><br>
</div>
<div dir="auto">log {</div>
<div dir="auto"> source (s_local);</div>
<div dir="auto"> if (program("sudo")) {</div>
<div dir="auto"> parser { sudo-parser(); };</div>
<div dir="auto"> if (match("auto-user",
value(".sudo.USER")) {</div>
<div dir="auto"> destination (d_autosudo);</div>
<div dir="auto"> }</div>
<div dir="auto"> flags(final);</div>
<div dir="auto">};</div>
<div dir="auto"><br>
</div>
<div dir="auto">I am not entirely sure of the name value pair
.sudo.USER, sudo-parser extracts the key=value elements of a
sudo log entry, and IIRC the username is an all caps "USER".</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Feb 4, 2021, 05:48 Dan
Egli <a class="moz-txt-link-rfc2396E" href="mailto:dan@newideatest.site"><dan@newideatest.site></a> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hey folks,
I've looked for a way to do this, and I guess my google-foo <br>
is weak today. I've got a situation where on one of my
machines, an <br>
automated process FREQUENTLY calls sudo so it can gain the
permissions <br>
it needs to do certain tasks. But that means my
/var/log/messages is <br>
getting FILLED with sudo messages. I was hoping I could insert
some kind <br>
of text filter that would allow me to shunt messages where one
user (the <br>
automated process) calls sudo into another log file. It would
basically <br>
need to be a nested filter, i.e.:<br>
If message_source = sudo then<br>
if user = X then<br>
log to auto_sudo.log<br>
<br>
If someone knows how this can be done, I'd appreciate it.<br>
<br>
Thanks!<br>
--- Dan<br>
<br>
______________________________________________________________________________<br>
Member info: <a
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a
href="http://www.balabit.com/support/documentation/?product=syslog-ng"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>
</pre>
</blockquote>
</body>
</html>