[rsyslog-notify] Forum Thread: Re: pmaixforwardedfrom configuration - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Tue Oct 21 01:43:56 CEST 2014 

User: xdaxdb 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=25030#p25030

Message: 
----------
It seems to be working now that I added the other parsers. I forget why I
took those away at one point.

but I am getting undesirable output, do you think its a problem with the
config or with the parser itself. I'll post the output first, then the
config.

[code:3r2p1wq8]2014-10-20T16:36:15-07:00 <hostname> last
message repeated 4 times
2014-10-20T16:36:16-07:00 <hostname>
bootpd[4849814]: -a
2014-10-20T16:36:17-07:00 <hostname>
bootpd[4849814]: eated 4 times
2014-10-20T16:36:17-07:00 <hostname>
bootpd[4849814]: received short packet
2014-10-20T16:36:18-07:00 <hostname>
bootpd[4849814]: eated 4 times
2014-10-20T16:29:53-07:00 <hostname> syslog: ssh:
failed login attempt for UNKNOWN_USER from xxx.xxx.xxx
2014-10-20T16:29:53-07:00 <hostname> sshd[4980852]:
epeated 4 times
2014-10-20T16:29:53-07:00 <hostname> syslog: ssage repeated
4 times
2014-10-20T16:29:53-07:00 <hostname>
sshd[12451870]: peated 4 times
2014-10-20T16:36:20-07:00 <hostname>
bootpd[4849814]: eated 4 times
2014-10-20T16:36:20-07:00 <hostname>
bootpd[4849814]: received short packet
2014-10-20T16:36:21-07:00 <hostname>
bootpd[4849814]: eated 4 times
2014-10-20T16:36:22-07:00 <hostname>
bootpd[4849814]: eated 4 times
2014-10-20T16:36:24-07:00 <hostname>
bootpd[4849814]: received short packet
2014-10-20T16:36:36-07:00 <hostname> syslog:
/usr/sbin/ifconfig en0
2014-10-20T16:36:36-07:00 <hostname> syslog:
/usr/sbin/ifconfig lo0
2014-10-20T16:30:08-07:00 <hostname> sshd[4980852]:
bin/ifconfig lo0
2014-10-20T16:30:08-07:00 <hostname>
sshd[12451870]: in/ifconfig lo0[/code:3r2p1wq8]


config
[code:3r2p1wq8]$ModLoad imuxsock # provides support for local system
logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark  # provides --MARK-- message capability
$ModLoad imudp
$ModLoad omruleset
$ModLoad pmaixforwardedfrom

$Ruleset AIX
$RulesetCreateMainQueue on

$RulesetParser rsyslog.aixforwardedfrom
$rulesetparser rsyslog.rfc5424
$rulesetparser rsyslog.rfc3164

$ActionOmrulesetRulesetName RSYSLOG_DefaultRuleset
*.* :omruleset:

# switch back to default ruleset
$Ruleset RSYSLOG_DefaultRuleset

#### RULES ####

$InputUDPServerBindRuleset AIX
$UDPServerRun 514

$InputUDPServerBindRuleset AIX
$UDPServerRun 10514
[/code:3r2p1wq8]

More information about the rsyslog-notify mailing list