Friday, May 13, 2011

i like to see what others type + syslog-ng

Once you've gone through the trouble of patching bash to send output to local5, you might find that you're not using syslog, as assumed in a previous post. Instead, you're using syslog-ng. That's cool.

In your syslog-ng.conf file, you'll need to edit some stanzas, filters and destinations.

Set local5 (bash output) destination, if you want it to go to a file.
# bash destination 
destination d_local5 { file("/var/log/local5"); }; 

# bash filters 
filter f_local5 { facility(local5); }; 

and in messages filter, add local5
filter f_messages {
            and not facility(auth,authpriv,cron,daemon,mail,news,local5);
and finally, set the log destination:
# local5
log {

If you have a remote syslog daemon or logger such as loggly or splunk set up, drop their destination definitions in the log stanza for "local5". e.g.:

# loggy
destination d_loggly { tcp("" port(XXXXXX)); };

# local5
log {

On loggly (if you've allowed the destination in your remote device list) or splunk, you should see something akin to:
2011 May 13 16:09:19.000 s_all@host1 bash-ub610: history: [pid:5379 uid:0] exit
2011 May 13 16:09:50.000 s_all@host1 bash-ub610: history: [pid:5584 uid:0] ls -la
2011 May 13 16:09:52.000 s_all@host1 bash-ub610: history: [pid:5584 uid:0] cd /opt/
In your old /etc/syslog.conf or /etc/rsyslog.d/50-default.conf add the following:
auth,authpriv.*;local5.*        @syslogserver
Post a Comment