[syslog-ng]Sudo logging

Nate Campi nate@campin.net
Tue, 8 Jan 2002 19:40:09 -0800

On Tue, Jan 08, 2002 at 12:52:13PM -0800, Chuck Kelly wrote:
> I can't seem to get sudo logs logging properly.
> Would like each host to log to sudo.log instead of local2.
> /var/log/syslog-ng/$HOST/sudo.log
> Anyone have any examples of how they did it?

It's possible by using the $PROGRAM macro in your 
See http://www.balabit.hu/static/syslog-ng/reference/x324.html#AEN512

You don't really want to trust the input of log messages when creating
files in your filesystem, though. Plus that will log *all* your logs by

If you just want the sudo stuff you can apply a regexp to log messages
as they come in like:
  destination sudo_log { file("/var/log/syslog-ng/$HOST/sudo.log" create_dirs(yes)); };
  # this should match sudo in the tag field
  filter f_sudo { match("sudo:"); };
  log { source(src); filter(f_sudo_log); destination(sudo_log); };
This should work as is.
Nate Campi     http://www.campin.net    GnuPG key: 0xC17AEF79   

"ASCII stupid question, get a stupid ANSI !"