Untested config:

log {

source (s_local);

if (program("sudo")) {

parser { sudo-parser(); };

if (match("auto-user", value(".sudo.USER")) {

destination (d_autosudo);

}

flags(final);

};

I am not entirely sure of the name value pair .sudo.USER, sudo-parser extracts the key=value elements of a sudo log entry, and IIRC the username is an all caps "USER".

On Thu, Feb 4, 2021, 05:48 Dan Egli <dan@newideatest.site> wrote:

Hey folks, I've looked for a way to do this, and I guess my google-foo
is weak today. I've got a situation where on one of my machines, an
automated process FREQUENTLY calls sudo so it can gain the permissions
it needs to do certain tasks. But that means my /var/log/messages is
getting FILLED with sudo messages. I was hoping I could insert some kind
of text filter that would allow me to shunt messages where one user (the
automated process) calls sudo into another log file. It would basically
need to be a nested filter, i.e.:
If message_source = sudo then
if user = X then
log to auto_sudo.log

If someone knows how this can be done, I'd appreciate it.

Thanks!
--- Dan

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq