[syslog-ng] how to push sulogs/utmpx/wtmpx to central logserver

Thu Mar 31 21:16:10 CEST 2011

On Thu, 2011-03-31 at 20:52 +0200, Hendrik Visage wrote:
> On Thu, Mar 31, 2011 at 3:10 PM, Tony MacDoodle <tpsdoodle at gmail.com> wrote:
> > Hello All,
> >
> > I would like to push only the following log files to a central syslog-ng
> > server. All clients are Solaris 10 and the syslog-ng server is also Solaris
> > 10. IS it possible to push only this information?
> >
> > wtmpx
> 
> This file DO grow, but it's a binary file. Refer to wtmpx/utmpx(5).
> You would most probably need to write some C program to check for
> changes, then read the last entry (or search for the changed entry, as
> I might be wrong, be understood it to be changing the previous entry
> when a user logs out, rather than addind a new entry)

Finally, I knew my binary file support stuff, that currently only does
process accounting is worth it :)

This was exactly the use-case I had in mind as a next step, but I've
figured I'd wait until the need pops up, and here it comes :) Thanks for
that.

So to translate my cryptic enthusiasm, the way to solve this is to add a
"format" plugin starting with syslog-ng 3.2, in a similar spirit how the
"pacctformat" is implemented. Once that's in place, syslog-ng will be
able to follow that file correctly, just like it does with other regular
text files.

So the best way to start is to copy the "pacctformat" plugin, change the
plugin name from pacct to wtmp, and modify the pacct-format.c file to
extract the wtmp record values instead of the process accounting stuff.

pacct-format.c is currently 164 lines of C code, but a lot of that is
comments, the most important part is pacct_format_handler(), which gets
a record from the file and has to convert them to name-value pairs.

At the end you need something like:

        file("/var/log/wtmpx" follow-freq(1) format("wtmpx"));

Let me know if you need further help.

-- 
Bazsi