On Thu, 2011-03-31 at 20:52 +0200, Hendrik Visage wrote:
On Thu, Mar 31, 2011 at 3:10 PM, Tony MacDoodle <tpsdoodle@gmail.com> wrote:
Hello All,
I would like to push only the following log files to a central syslog-ng server. All clients are Solaris 10 and the syslog-ng server is also Solaris 10. IS it possible to push only this information?
wtmpx
This file DO grow, but it's a binary file. Refer to wtmpx/utmpx(5). You would most probably need to write some C program to check for changes, then read the last entry (or search for the changed entry, as I might be wrong, be understood it to be changing the previous entry when a user logs out, rather than addind a new entry)
Finally, I knew my binary file support stuff, that currently only does process accounting is worth it :) This was exactly the use-case I had in mind as a next step, but I've figured I'd wait until the need pops up, and here it comes :) Thanks for that. So to translate my cryptic enthusiasm, the way to solve this is to add a "format" plugin starting with syslog-ng 3.2, in a similar spirit how the "pacctformat" is implemented. Once that's in place, syslog-ng will be able to follow that file correctly, just like it does with other regular text files. So the best way to start is to copy the "pacctformat" plugin, change the plugin name from pacct to wtmp, and modify the pacct-format.c file to extract the wtmp record values instead of the process accounting stuff. pacct-format.c is currently 164 lines of C code, but a lot of that is comments, the most important part is pacct_format_handler(), which gets a record from the file and has to convert them to name-value pairs. At the end you need something like: file("/var/log/wtmpx" follow-freq(1) format("wtmpx")); Let me know if you need further help. -- Bazsi