[rsyslog-notify] Forum Thread: Re: omprog config/usage? - (Mode 'reply')
noreply at adiscon.com
noreply at adiscon.com
Wed Apr 2 19:57:43 CEST 2014
User: dkoleary
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24467#p24467
Message:
----------
Hi;
Thanks for the reply. I think I may have been unclear on one minor point.
The ssh_logger script is, so far, a very simple redirection facility.
[code:3oy02dlr]#!/usr/bin/perl
=cut
#########################################################
ssh_logger: Accepts input from rsyslog, analyzes ssh messages
for authorized access. Sends reports on invalid
messages
Author: Doug O'Leary
Created: 03/31/14
#########################################################
=cut
use strict;
open (Out , ">> /tmp/blivit") || die "Can't open /tmp/blivit - ($!)";
my $old = select(Out);
$| = 1; # force flush stdoout
while (<STDIN>)
{ print $_; }[/code:3oy02dlr]
All that being said, I ran rsyslog in debug mode and, after typing up a
much different response, I finally found this line:
[code:3oy02dlr]0415.079573777:7fda6bcd8700: Filter: check
for property 'programname' (value 'sshd') startswith '%SSH':
FALSE[/code:3oy02dlr]
After a minor bit of poking around, I changed it to:
[code:3oy02dlr]:programname, startswith, "ssh"
:omprog:;RSYSLOG_TraditionalFileFormat[/code:3oy02dlr]
and it's now working the way I expect. Thank you. I appreciate the tip.
I need to increase reading comprehension; while I had tried a lower case
ssh, from examples I saw on the net, I expected the '%' to be mandatory.
Any rate, thanks again. I appreciate it no end.
Doug O'Leary
More information about the rsyslog-notify
mailing list