[syslog-ng] filtering based on text?
Dan Egli
dan at newideatest.site
Mon Feb 8 05:49:43 UTC 2021
Sorry to be gone. It's been a hell of a few days. What you wrote looks
promising. Where can I find more about the sudo-parser and such? That
way if the config doesn't work I have an idea of how to tweak it.
On 2/3/2021 10:22 PM, Balazs Scheidler wrote:
> Untested config:
>
> log {
> source (s_local);
> if (program("sudo")) {
> parser { sudo-parser(); };
> if (match("auto-user", value(".sudo.USER")) {
> destination (d_autosudo);
> }
> flags(final);
> };
>
> I am not entirely sure of the name value pair .sudo.USER, sudo-parser
> extracts the key=value elements of a sudo log entry, and IIRC the
> username is an all caps "USER".
>
> On Thu, Feb 4, 2021, 05:48 Dan Egli <dan at newideatest.site> wrote:
>
> Hey folks, I've looked for a way to do this, and I guess my
> google-foo
> is weak today. I've got a situation where on one of my machines, an
> automated process FREQUENTLY calls sudo so it can gain the
> permissions
> it needs to do certain tasks. But that means my /var/log/messages is
> getting FILLED with sudo messages. I was hoping I could insert
> some kind
> of text filter that would allow me to shunt messages where one
> user (the
> automated process) calls sudo into another log file. It would
> basically
> need to be a nested filter, i.e.:
> If message_source = sudo then
> if user = X then
> log to auto_sudo.log
>
> If someone knows how this can be done, I'd appreciate it.
>
> Thanks!
> --- Dan
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> <https://lists.balabit.hu/mailman/listinfo/syslog-ng>
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> <http://www.balabit.com/support/documentation/?product=syslog-ng>
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> <http://www.balabit.com/wiki/syslog-ng-faq>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20210207/09f94018/attachment.html>
More information about the syslog-ng
mailing list