Hey folks, I've looked for a way to do this, and I guess my google-foo is weak today. I've got a situation where on one of my machines, an automated process FREQUENTLY calls sudo so it can gain the permissions it needs to do certain tasks. But that means my /var/log/messages is getting FILLED with sudo messages. I was hoping I could insert some kind of text filter that would allow me to shunt messages where one user (the automated process) calls sudo into another log file. It would basically need to be a nested filter, i.e.: If message_source = sudo then if user = X then log to auto_sudo.log If someone knows how this can be done, I'd appreciate it. Thanks! --- Dan
Untested config: log { source (s_local); if (program("sudo")) { parser { sudo-parser(); }; if (match("auto-user", value(".sudo.USER")) { destination (d_autosudo); } flags(final); }; I am not entirely sure of the name value pair .sudo.USER, sudo-parser extracts the key=value elements of a sudo log entry, and IIRC the username is an all caps "USER". On Thu, Feb 4, 2021, 05:48 Dan Egli <dan@newideatest.site> wrote:
Hey folks, I've looked for a way to do this, and I guess my google-foo is weak today. I've got a situation where on one of my machines, an automated process FREQUENTLY calls sudo so it can gain the permissions it needs to do certain tasks. But that means my /var/log/messages is getting FILLED with sudo messages. I was hoping I could insert some kind of text filter that would allow me to shunt messages where one user (the automated process) calls sudo into another log file. It would basically need to be a nested filter, i.e.: If message_source = sudo then if user = X then log to auto_sudo.log
If someone knows how this can be done, I'd appreciate it.
Thanks! --- Dan
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Sorry to be gone. It's been a hell of a few days. What you wrote looks promising. Where can I find more about the sudo-parser and such? That way if the config doesn't work I have an idea of how to tweak it. On 2/3/2021 10:22 PM, Balazs Scheidler wrote:
Untested config:
log { source (s_local); if (program("sudo")) { parser { sudo-parser(); }; if (match("auto-user", value(".sudo.USER")) { destination (d_autosudo); } flags(final); };
I am not entirely sure of the name value pair .sudo.USER, sudo-parser extracts the key=value elements of a sudo log entry, and IIRC the username is an all caps "USER".
On Thu, Feb 4, 2021, 05:48 Dan Egli <dan@newideatest.site> wrote:
Hey folks, I've looked for a way to do this, and I guess my google-foo is weak today. I've got a situation where on one of my machines, an automated process FREQUENTLY calls sudo so it can gain the permissions it needs to do certain tasks. But that means my /var/log/messages is getting FILLED with sudo messages. I was hoping I could insert some kind of text filter that would allow me to shunt messages where one user (the automated process) calls sudo into another log file. It would basically need to be a nested filter, i.e.: If message_source = sudo then if user = X then log to auto_sudo.log
If someone knows how this can be done, I'd appreciate it.
Thanks! --- Dan
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng <https://lists.balabit.hu/mailman/listinfo/syslog-ng> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng <http://www.balabit.com/support/documentation/?product=syslog-ng> FAQ: http://www.balabit.com/wiki/syslog-ng-faq <http://www.balabit.com/wiki/syslog-ng-faq>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Dan, On Sun, Feb 07, 2021 at 10:49:43PM -0700, Dan Egli wrote:
Sorry to be gone. It's been a hell of a few days. What you wrote looks promising. Where can I find more about the sudo-parser and such? That way if the config doesn't work I have an idea of how to tweak it.
It depends on how you installed syslog-ng, but in the RPM dists it's usually in /usr/share/syslog-ng/include/scl that I look.
participants (3)
-
Balazs Scheidler
-
Dan Egli
-
Fabien Wernli