[syslog-ng] EWMM and sudo app-parser
Balazs Scheidler
bazsi77 at gmail.com
Thu Aug 6 14:00:12 UTC 2020
that's actually true. Once it happens on the client, but the extracted
information is NOT conveyed to the server, thus it must do it again.
Bazsi
On Thu, Aug 6, 2020 at 3:56 PM Fabien Wernli <wernli at in2p3.fr> wrote:
> Hi Bazsi!
>
> On Thu, Aug 06, 2020 at 03:45:19PM +0200, Balazs Scheidler wrote:
> > As you can see the ".sudo" top-level key is there, listing sudo related
> > name-value pairs as extracted on the client. I also checked the
> debug/trace
> > logs on the server and confirmed that only ewmm parsing was done,
>
> Thanks for your thorough investigation !
>
> Thus I understand that when using syslog (not -ng) destination, and
> default-network-drivers, sudo parsing will happen twice.
>
>
--
Bazsi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200806/350b8cff/attachment.html>
More information about the syslog-ng
mailing list