[syslog-ng] filtering based on text?

Balazs Scheidler bazsi77 at gmail.com
Thu Feb 4 05:22:57 UTC 2021


Untested config:

log {
    source (s_local);
    if (program("sudo")) {
        parser { sudo-parser(); };
        if (match("auto-user", value(".sudo.USER")) {
            destination (d_autosudo);
    }
    flags(final);
};

I am not entirely sure of the name value pair .sudo.USER, sudo-parser
extracts the key=value elements of a sudo log entry, and IIRC the username
is an all caps "USER".

On Thu, Feb 4, 2021, 05:48 Dan Egli <dan at newideatest.site> wrote:

> Hey folks, I've looked for a way to do this, and I guess my google-foo
> is weak today. I've got a situation where on one of my machines, an
> automated process FREQUENTLY calls sudo so it can gain the permissions
> it needs to do certain tasks. But that means my /var/log/messages is
> getting FILLED with sudo messages. I was hoping I could insert some kind
> of text filter that would allow me to shunt messages where one user (the
> automated process) calls sudo into another log file. It would basically
> need to be a nested filter, i.e.:
> If message_source = sudo then
>      if user = X then
>          log to auto_sudo.log
>
> If someone knows how this can be done, I'd appreciate it.
>
> Thanks!
> --- Dan
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210204/e54bf28b/attachment.html>


More information about the syslog-ng mailing list