Ok, so the problem is with trying to do the regex match in the if statement.
Rainer may need to look at this. Unfortunantly the new syntax was added during
the 6.x series, so it's very possible that this syntax just doesn't work. The
documentation that ships with that version will say what's available for that
version. check that documentation to see what it lists for rainerscript
functions.
The other approach is to make a multi-level conditional and use the older style
regex
:msg, regex, 'COMMAND=/bin/.*sh' {
if $programname == 'sudo' and $msg contains 'USER=root' then
/my/logdirectory/logging/rootshell
}
David Lang
On Thu, 13 Jun 2013, Mathew Wilson wrote:
Hi, David-
I confirmed that this is the problem line, by commenting it out. I made the
change you suggested, but am still receiving the same error.
Thanks,
-Mat
________________________________
Mat Wilson
Software Infrastructure Support Engineer
Infrastructure Implementation & QA
UC Irvine
________________________________________
From: [email protected] [[email protected]] on
behalf of David Lang [[email protected]]
Sent: Wednesday, June 12, 2013 5:34 PM
To: rsyslog-users
Subject: Re: [rsyslog] 6.2.0 Configuration issues
hmm, looking at the filtering documentation, I'm not seeing the eregex syntax
you are trying to use. Instead I'm seeing:
re_match(expr, re) - returns 1, if expr matches re, 0 otherwise
so I think what you are trying to do would be:
if $programname == 'sudo' and $msg contains 'USER=root' and
re_match($msg,'COMMAND=/bin/.*sh') then /my/logdirectory/logging/rootshell
David Lang
On Wed, 12 Jun 2013, David Lang wrote:
Date: Wed, 12 Jun 2013 17:22:58 -0700 (PDT)
From: David Lang <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] 6.2.0 Configuration issues
just a quick check, try removing the entire eregex section just to make sure
that our problem is in that clause
i.e. change it to:
if $programname == 'sudo' and $msg contains 'USER=root' then
/my/logdirectory/logging/rootshell
before we spend too much time on this, let's make sure we are working the
right problem.
David Lang
On Thu, 13 Jun 2013, Mathew Wilson wrote:
Date: Thu, 13 Jun 2013 00:53:54 +0000
From: Mathew Wilson <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] 6.2.0 Configuration issues
Hi, David- I tried that, but I unfortunately received the same error
message. Thanks for the suggestion, though!
________________________________
Mat Wilson
Software Infrastructure Support Engineer
Infrastructure Implementation & QA
UC Irvine
________________________________________
From: [email protected] [[email protected]]
on behalf of David Lang [[email protected]]
Sent: Wednesday, June 12, 2013 4:04 PM
To: rsyslog-users
Subject: Re: [rsyslog] 6.2.0 Configuration issues
On Wed, 12 Jun 2013, Mathew David Wilson wrote:
Hello, all-
The folks at the IRC channel on freenode referred me here. Can anyone tell
me what is wrong with my config file? Nothing is getting logged, and
rsyslog is throwing an error. Before anyone suggests it, I can't deviate
from the version in the Solaris repositories- otherwise I would do 7.4 .
The error:
rsyslogd: syntax error in expression [try http://www.rsyslog.com/e/2051 ]
rsyslogd: the last error occured in /etc/rsyslog.conf, line 16:"if
$programname == 'sudo' and $msg contains 'USER=root' and $msg eregex
"COMMAND=/bin/.*sh" then /adm/tmp/mdwilson-workspace/logging/rootshell"
rsyslogd: warning: selector line without actions will be discarded
rsyslogd: CONFIG ERROR: could not interpret master config file
'/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
The config file:
##Global Directives
$MaxMessageSize 8192
$MainMsgQueueDiscardMark 200
$MainMsgQueueDequeueBatchSize 0
##Load UDP and Solaris Logging modules
$ModLoad imudp
$ModLoad imsolaris
##Start UDP Logging for log4j
$UDPServerAddress 127.0.0.1
$UDPServerRun 514
if $programname == 'sudo' and $msg contains 'USER=root' then /my/
logdirectory/logging/allroot
if $programname == 'sudo' and $msg contains 'USER=root' and $msg eregex
"COMMAND=/bin/.*sh" then /my/logdirectory/logging/rootshell
if $programname == 'httpd' and $syslogfacility-text == 'local7' then
/my/
logdirectory/logging/apache
local5.* /my/logdirectory/logging/local5
*.* /my/logdirectory/logging/all
*.* /my/logdirectory/logging/all2
Config paste included for readability.
http://pastebin.com/P9P6BMSR<https://exchange.uci.edu/owa/redir.aspx?C=Opx44D53dEqKFRMsokWjFiCVUbYfO9AILXmCYI00fK7-gXOu1Tnmedzl6wFy4W8Dqji2Hi0Gbe4.&URL=http%3a%2f%2fpastebin.com%2fP9P6BMSR>
Thanks!
That version is picky about ' vs " try changing the " in that line to ' and
see
if you keep getting the error.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
