Re: [rsyslog] per programname logs

Jan-Frode Myklebust Mon, 27 Aug 2007 14:08:34 -0700

On 2007-08-27, Rainer Gerhards <[EMAIL PROTECTED]> wrote:
> Can you let us know which strings it is set to? That would definitely
> help troubleshooting (one lab less to do ;)).


Not sure what you're asking.. I have this rsyslog.conf entry:

        $template PerAppLogs,"/var/log/rsyslog/apps/%programname%.log"
        *.* -?PerAppLogs

which produce two log files "1.4.1.log" and "message.log" containing

        Aug 27 21:58:01 syslogd 1.4.1: restart.
        Aug 27 21:58:01 syslogd 1.4.1: restart.
        Aug 27 21:58:01 syslogd 1.4.1: restart.

        Aug 27 22:02:48 last message repeated 12 times
        Aug 27 22:02:49 last message repeated 6 times
        Aug 27 22:02:49 last message repeated 92 times

respectively. I think that's all information I have.. plus maybe also
say that the remote host logging this is likely RHEL3, RHEL4 or RHEL5
with sysklogd sending the logs over standard udp (*.* @loghost).

Another thing that scared me a bit is that from the same template I
got a logfile named ".log" containing:

Aug 27 22:00:01 censored1.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; 
PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
Aug 27 22:00:01 censored2.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; 
PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
Aug 27 22:00:02 censored3.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; 
PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
Aug 27 22:00:17 censored4.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; 
PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save
Aug 27 22:00:17 censored5.domain.mgmt /usr/bin/sudo djksjdks : TTY=unknown ; 
PWD=/home/djksjdks ; USER=root ; COMMAND=/sbin/iptables-save

which makes me think it tried to create the file /usr/bin/sudo.log..
Wonder if it might be possible to make rsyslogd overwrite /etc/passwd
with a sufficientlty crafted %programname% string...


  -jf

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog

Re: [rsyslog] per programname logs

Reply via email to