Hello, I'm trying to extract from audit logs the audit _tag_, by I need fot this something to catch everything from some point in the message until the end.
Sample messages from audit: node=machine.company type=SYSCALL msg=audit(1407187547.954:6830671): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=92c0c0 a2=0 a3=20 items=2 ppid=13686 pid=13712 auid=1361081601 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=140430 comm="rm" exe="/bin/rm" subj=unconfined_u:system_r:initrc_t:s0 key="delete" node=machine.company type=CWD msg=audit(1407187547.954:6830671): cwd="/opt/oswatcher" node=machine.company type=PATH msg=audit(1407187547.954:6830671): item=0 name="tmp/" inode=655755 dev=fd:00 mode=040755 ouid=501 ogid=501 rdev=00:00 obj=unconfined_u:object_r:usr_t:s0 nametype=PARENT node=machine.company type=EOE msg=audit(1407187547.954:6830671): What rule I'm trying to use: prefix= rule=: node=%hostname:word% type=%type:word% msg=audit(%unix_time:number%.%milisec:number%:%audittag:number%):%all:char-to:_some_end_of_message_% Is this possible? Best regards, Cristian Falcas _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
