rsyslog-8.2.2 And I'm using liblognorm1-utils
On Tue, Aug 5, 2014 at 12:40 AM, David Lang <[email protected]> wrote: > what version of rsyslog are you using? I know that there have been patches > for dealing with this "recently" (within the last few months) > > David Lang > > On Tue, 5 Aug 2014, Cristian Falcas wrote: > > Date: Tue, 5 Aug 2014 00:32:39 +0300 >> From: Cristian Falcas <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: [rsyslog] lognorm rules and catch all until end of message >> >> >> Hello, >> >> I'm trying to extract from audit logs the audit _tag_, by I need fot this >> something to catch everything from some point in the message until the >> end. >> >> Sample messages from audit: >> >> node=machine.company type=SYSCALL msg=audit(1407187547.954:6830671): >> arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=92c0c0 >> a2=0 a3=20 items=2 ppid=13686 pid=13712 auid=1361081601 uid=501 gid=501 >> euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) >> ses=140430 comm="rm" exe="/bin/rm" subj=unconfined_u:system_r:initrc_t:s0 >> key="delete" >> node=machine.company type=CWD msg=audit(1407187547.954:6830671): >> cwd="/opt/oswatcher" >> node=machine.company type=PATH msg=audit(1407187547.954:6830671): item=0 >> name="tmp/" inode=655755 dev=fd:00 mode=040755 ouid=501 ogid=501 >> rdev=00:00 >> obj=unconfined_u:object_r:usr_t:s0 nametype=PARENT >> node=machine.company type=EOE msg=audit(1407187547.954:6830671): >> >> What rule I'm trying to use: >> >> prefix= >> rule=: node=%hostname:word% type=%type:word% >> msg=audit(%unix_time:number%.%milisec:number%:%audittag: >> number%):%all:char-to:_some_end_of_message_% >> >> Is this possible? >> >> Best regards, >> Cristian Falcas >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> >> _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
