how to push sulogs/utmpx/wtmpx to central logserver
Hello All, I would like to push only the following log files to a central syslog-ng server. All clients are Solaris 10 and the syslog-ng server is also Solaris 10. IS it possible to push only this information? wtmpx utmpx sulog Thanks
This could be accomplisted with something as simple as: source s_tail { file("/path/to/log.file1" follow_freq(1) flags(no-parse)); file("/path/to/log.file2" follow_freq(1) flags(no-parse)); file("/path/to/log.file3" follow_freq(1) flags(no-parse)); }; log { source(s_tail); destination(loghost); }; destination loghost {tcp("centrallogger.yourdomain.com");}; From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Tony MacDoodle Sent: Thursday, March 31, 2011 6:11 AM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] how to push sulogs/utmpx/wtmpx to central logserver Hello All, I would like to push only the following log files to a central syslog-ng server. All clients are Solaris 10 and the syslog-ng server is also Solaris 10. IS it possible to push only this information? wtmpx utmpx sulog Thanks
On Thu, Mar 31, 2011 at 3:10 PM, Tony MacDoodle <tpsdoodle@gmail.com> wrote:
Hello All,
I would like to push only the following log files to a central syslog-ng server. All clients are Solaris 10 and the syslog-ng server is also Solaris 10. IS it possible to push only this information?
wtmpx
This file DO grow, but it's a binary file. Refer to wtmpx/utmpx(5). You would most probably need to write some C program to check for changes, then read the last entry (or search for the changed entry, as I might be wrong, be understood it to be changing the previous entry when a user logs out, rather than addind a new entry)
utmpx This is a state file, more than anything else, the currently logged in users. It doesn't grow, other than to the size of the size of Number of logged in users)*sizeof(struct utmpx) as defined in <utmpx.h> (Refer to endutxent(3) and utmpx(5) ) Thus to log this, you'll be duplicating the wtmpx logging, as changes to that affects changes to this file. sulog This is "easy" as have been explained
On Thu, 2011-03-31 at 20:52 +0200, Hendrik Visage wrote:
On Thu, Mar 31, 2011 at 3:10 PM, Tony MacDoodle <tpsdoodle@gmail.com> wrote:
Hello All,
I would like to push only the following log files to a central syslog-ng server. All clients are Solaris 10 and the syslog-ng server is also Solaris 10. IS it possible to push only this information?
wtmpx
This file DO grow, but it's a binary file. Refer to wtmpx/utmpx(5). You would most probably need to write some C program to check for changes, then read the last entry (or search for the changed entry, as I might be wrong, be understood it to be changing the previous entry when a user logs out, rather than addind a new entry)
Finally, I knew my binary file support stuff, that currently only does process accounting is worth it :) This was exactly the use-case I had in mind as a next step, but I've figured I'd wait until the need pops up, and here it comes :) Thanks for that. So to translate my cryptic enthusiasm, the way to solve this is to add a "format" plugin starting with syslog-ng 3.2, in a similar spirit how the "pacctformat" is implemented. Once that's in place, syslog-ng will be able to follow that file correctly, just like it does with other regular text files. So the best way to start is to copy the "pacctformat" plugin, change the plugin name from pacct to wtmp, and modify the pacct-format.c file to extract the wtmp record values instead of the process accounting stuff. pacct-format.c is currently 164 lines of C code, but a lot of that is comments, the most important part is pacct_format_handler(), which gets a record from the file and has to convert them to name-value pairs. At the end you need something like: file("/var/log/wtmpx" follow-freq(1) format("wtmpx")); Let me know if you need further help. -- Bazsi
participants (4)
-
Balazs Scheidler
-
George_Starkey@McAfee.com
-
Hendrik Visage
-
Tony MacDoodle