[rsyslog] per programname logs
Jan-Frode Myklebust
janfrode at tanso.net
Mon Aug 27 23:06:55 CEST 2007
On 2007-08-27, Rainer Gerhards <rgerhards at hq.adiscon.com> wrote:
> Can you let us know which strings it is set to? That would definitely
> help troubleshooting (one lab less to do ;)).
Not sure what you're asking.. I have this rsyslog.conf entry:
$template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log"
*.* -?PerAppLogs
which produce two log files "1.4.1.log" and "message.log" containing
Aug 27 21:58:01 syslogd 1.4.1: restart.
Aug 27 21:58:01 syslogd 1.4.1: restart.
Aug 27 21:58:01 syslogd 1.4.1: restart.
Aug 27 22:02:48 last message repeated 12 times
Aug 27 22:02:49 last message repeated 6 times
Aug 27 22:02:49 last message repeated 92 times
respectively. I think that's all information I have.. plus maybe also
say that the remote host logging this is likely RHEL3, RHEL4 or RHEL5
with sysklogd sending the logs over standard udp (*.* @loghost).
Another thing that scared me a bit is that from the same template I
got a logfile named ".log" containing:
Aug 27 22:00:01 censored1.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
Aug 27 22:00:01 censored2.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
Aug 27 22:00:02 censored3.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
Aug 27 22:00:17 censored4.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
which makes me think it tried to create the file /usr/bin/sudo.log..
Wonder if it might be possible to make rsyslogd overwrite /etc/passwd
with a sufficientlty crafted %programname% string...
-jf
More information about the rsyslog
mailing list