On Thu, Jun 13, 2013 at 8:10 PM, David Lang <[email protected]> wrote:
> Ok, so the problem is with trying to do the regex match in the if
> statement.
>
> Rainer may need to look at this. Unfortunantly the new syntax was added
> during the 6.x series, so it's very possible that this syntax just doesn't
> work. The documentation that ships with that version will say what's
> available for that version. check that documentation to see what it lists
> for rainerscript functions.
>
>
that's definitely the way to go -- but IIRC, this type of regex support
(with the right syntax!) was only added recently sometime in 7.3. In any
case, upgrading to 7.4 is the best thing to do.
> The other approach is to make a multi-level conditional and use the older
> style regex
>
> :msg, regex, 'COMMAND=/bin/.*sh' {
>
> if $programname == 'sudo' and $msg contains 'USER=root' then
> /my/logdirectory/logging/**rootshell
> }
>
>
yup, should work.
Rainer
> David Lang
>
> On Thu, 13 Jun 2013, Mathew Wilson wrote:
>
> Hi, David-
>>
>> I confirmed that this is the problem line, by commenting it out. I made
>> the change you suggested, but am still receiving the same error.
>>
>> Thanks,
>>
>> -Mat
>> ______________________________**__
>>
>> Mat Wilson
>> Software Infrastructure Support Engineer
>> Infrastructure Implementation & QA
>> UC Irvine
>>
>> ______________________________**__________
>> From: [email protected].**com<[email protected]>[
>> rsyslog-bounces@lists.**adiscon.com <[email protected]>]
>> on behalf of David Lang [[email protected]]
>> Sent: Wednesday, June 12, 2013 5:34 PM
>> To: rsyslog-users
>> Subject: Re: [rsyslog] 6.2.0 Configuration issues
>>
>> hmm, looking at the filtering documentation, I'm not seeing the eregex
>> syntax
>> you are trying to use. Instead I'm seeing:
>>
>> re_match(expr, re) - returns 1, if expr matches re, 0 otherwise
>>
>> so I think what you are trying to do would be:
>>
>> if $programname == 'sudo' and $msg contains 'USER=root' and
>> re_match($msg,'COMMAND=/bin/.***sh') then /my/logdirectory/logging/**
>> rootshell
>>
>> David Lang
>>
>> On Wed, 12 Jun 2013, David Lang wrote:
>>
>> Date: Wed, 12 Jun 2013 17:22:58 -0700 (PDT)
>>> From: David Lang <[email protected]>
>>> Reply-To: rsyslog-users <[email protected]>
>>> To: rsyslog-users <[email protected]>
>>> Subject: Re: [rsyslog] 6.2.0 Configuration issues
>>>
>>> just a quick check, try removing the entire eregex section just to make
>>> sure
>>> that our problem is in that clause
>>>
>>> i.e. change it to:
>>>
>>> if $programname == 'sudo' and $msg contains 'USER=root' then
>>> /my/logdirectory/logging/**rootshell
>>>
>>> before we spend too much time on this, let's make sure we are working the
>>> right problem.
>>>
>>> David Lang
>>>
>>> On Thu, 13 Jun 2013, Mathew Wilson wrote:
>>>
>>> Date: Thu, 13 Jun 2013 00:53:54 +0000
>>>> From: Mathew Wilson <[email protected]>
>>>> Reply-To: rsyslog-users <[email protected]>
>>>> To: rsyslog-users <[email protected]>
>>>> Subject: Re: [rsyslog] 6.2.0 Configuration issues
>>>>
>>>> Hi, David- I tried that, but I unfortunately received the same error
>>>> message. Thanks for the suggestion, though!
>>>> ______________________________**__
>>>>
>>>> Mat Wilson
>>>> Software Infrastructure Support Engineer
>>>> Infrastructure Implementation & QA
>>>> UC Irvine
>>>>
>>>> ______________________________**__________
>>>> From:
>>>> [email protected].**com<[email protected]>[
>>>> rsyslog-bounces@lists.**adiscon.com <[email protected]>
>>>> ]
>>>> on behalf of David Lang [[email protected]]
>>>> Sent: Wednesday, June 12, 2013 4:04 PM
>>>> To: rsyslog-users
>>>> Subject: Re: [rsyslog] 6.2.0 Configuration issues
>>>>
>>>> On Wed, 12 Jun 2013, Mathew David Wilson wrote:
>>>>
>>>> Hello, all-
>>>>>
>>>>> The folks at the IRC channel on freenode referred me here. Can anyone
>>>>> tell
>>>>> me what is wrong with my config file? Nothing is getting logged, and
>>>>> rsyslog is throwing an error. Before anyone suggests it, I can't
>>>>> deviate
>>>>> from the version in the Solaris repositories- otherwise I would do 7.4
>>>>> .
>>>>>
>>>>> The error:
>>>>> rsyslogd: syntax error in expression [try
>>>>> http://www.rsyslog.com/e/2051 ]
>>>>> rsyslogd: the last error occured in /etc/rsyslog.conf, line 16:"if
>>>>> $programname == 'sudo' and $msg contains 'USER=root' and $msg eregex
>>>>> "COMMAND=/bin/.*sh" then /adm/tmp/mdwilson-workspace/**
>>>>> logging/rootshell"
>>>>> rsyslogd: warning: selector line without actions will be discarded
>>>>> rsyslogd: CONFIG ERROR: could not interpret master config file
>>>>> '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ]
>>>>>
>>>>> The config file:
>>>>>
>>>>> ##Global Directives
>>>>> $MaxMessageSize 8192
>>>>> $MainMsgQueueDiscardMark 200
>>>>> $MainMsgQueueDequeueBatchSize 0
>>>>>
>>>>> ##Load UDP and Solaris Logging modules
>>>>> $ModLoad imudp
>>>>> $ModLoad imsolaris
>>>>>
>>>>> ##Start UDP Logging for log4j
>>>>> $UDPServerAddress 127.0.0.1
>>>>> $UDPServerRun 514
>>>>>
>>>>> if $programname == 'sudo' and $msg contains 'USER=root' then /my/
>>>>> logdirectory/logging/allroot
>>>>>
>>>>> if $programname == 'sudo' and $msg contains 'USER=root' and $msg
>>>>> eregex
>>>>> "COMMAND=/bin/.*sh" then /my/logdirectory/logging/**rootshell
>>>>>
>>>>> if $programname == 'httpd' and $syslogfacility-text == 'local7' then
>>>>> /my/
>>>>> logdirectory/logging/apache
>>>>>
>>>>> local5.* /my/logdirectory/logging/**local5
>>>>> *.* /my/logdirectory/logging/all
>>>>> *.* /my/logdirectory/logging/all2
>>>>>
>>>>>
>>>>> Config paste included for readability.
>>>>> http://pastebin.com/P9P6BMSR<h**ttps://exchange.uci.edu/owa/**
>>>>> redir.aspx?C=**Opx44D53dEqKFRMsokWjFiCVUbYfO9**AILXmCYI00fK7-**
>>>>> gXOu1Tnmedzl6wFy4W8Dqji2Hi0Gbe**4.&URL=http%3a%2f%2fpastebin.**
>>>>> com%2fP9P6BMSR<https://exchange.uci.edu/owa/redir.aspx?C=Opx44D53dEqKFRMsokWjFiCVUbYfO9AILXmCYI00fK7-gXOu1Tnmedzl6wFy4W8Dqji2Hi0Gbe4.&URL=http%3a%2f%2fpastebin.com%2fP9P6BMSR>
>>>>> >
>>>>>
>>>>> Thanks!
>>>>>
>>>>
>>>> That version is picky about ' vs " try changing the " in that line to '
>>>> and
>>>> see
>>>> if you keep getting the error.
>>>>
>>>> David Lang
>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> myriad of
>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T
>>>> LIKE THAT.
>>>> ______________________________**_________________
>>>> rsyslog mailing list
>>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> myriad of
>>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T
>>>> LIKE THAT.
>>>>
>>>> ______________________________**_________________
>>> rsyslog mailing list
>>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of
>>> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
>>> LIKE THAT.
>>>
>>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>> ______________________________**_________________
>> rsyslog mailing list
>> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
>> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>> ______________________________**_________________
> rsyslog mailing list
> http://lists.adiscon.net/**mailman/listinfo/rsyslog<http://lists.adiscon.net/mailman/listinfo/rsyslog>
> http://www.rsyslog.com/**professional-services/<http://www.rsyslog.com/professional-services/>
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
