[rsyslog-notify] Forum Thread: omprog config/usage? - (Mode 'post')

noreply at adiscon.com noreply at adiscon.com
Wed Apr 2 17:37:07 CEST 2014 

User: dkoleary 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24465#p24465

Message: 
----------
Hi;

I have a centralized syslog server, running on rhel6.5 and rsyslogd ver
5.8.10.  In order to support a client's security policy, I need to write a
script that will monitor the incoming log messages for authorized usage of
ssh and sudo.  I'm having issues getting the omprog module to work properly
with filtered messages.  

Some details:

[code:b7myogpx]# grep -i omprog /etc/rsyslog.conf
$ModLoad omprog                                 # Enables filter programs
to futher analyze logs
$ActionOMProgBinary                            /usr/local/sbin/ssh_logger
# if $programname == 'sshd' then         
:omprog:;RSYSLOG_TraditionalFileFormat
# *.info                                               
:omprog:;RSYSLOG_TraditionalFileFormat
:programname,   startswith,     "%SSH" 
:omprog:;RSYSLOG_TraditionalFileFormat[/code:b7myogpx]

/usr/local/sbin/ssh_logger gets called and does what it's supposed to if
the line "*.info [spaces] :omprog..." is enabled.  That, however, gets
*everything* coming into the server.  I'd like to have rsyslog filter for
ssh and sudo messages.  

I believe the "if $programname" is valid for a later version of rsyslog so
that not working makes sense.  Some hours of googling, though, indicates
that the ":programname" syntax should work for ver 5.8.10; 

Short version, I'd like to have ssh related messages sent to the ssh_logger
script.  Messages like:

[code:b7myogpx]Apr  2 10:15:48 ${host} sshd[712]:
Connection from 01.02.03.04 port 42828
Apr  2 10:15:49 ${host} sshd[712]: Failed publickey for
root from 01.02.03.04 port 42828 ssh2
Apr  2 10:15:49 ${host} sshd[712]: Found matching DSA
key:
2f:f6:0b:52:83:38:6c:aa:d7:6d:33:7e:2f:6a:0a:99
Apr  2 10:15:49 ${host} sshd[713]: Postponed publickey
for root from 01.02.03.04 port 42828 ssh2
Apr  2 10:15:49 ${host} sshd[712]: Found matching DSA
key:
2f:f6:0b:52:83:38:6c:aa:d7:6d:33:7e:2f:6a:0a:99[/code:b7myogpx]

Could someone point out what I've messed up?  Any help greatly appreciated.

Doug O'Leary

More information about the rsyslog-notify mailing list