On Wed, 27 Jul 2016, lai wrote:
Well...internal-sftp comes with ssh and socket device /dev/log isn't
necessary when writing to MySQL via module ommysql...
/dev/log is how messages get to rsyslog, if they don't get to rsyslog, ommysql
can't possibly do anything.
it sounds as if you have ommysql configured and working, you are getting some
logs there, you just aren't getting the logs involving chroot stuff, right?
so if this is the case, stop obsessing over ommysql and instead we need to look
at your ssh server and the internal-sftp program and what logging options they
provide.
David Lang
I think time to write a scrip to take care of this
myself...bummer...ommysql had looked promising...thx!
Tim
On Wed, July 27, 2016 1:47 pm, David Lang wrote:
On Wed, 27 Jul 2016, lai wrote:
Hi, David:
It's supposedly to be a simply sftp server. The sftp server allows user
uploads, and all sftp users are jailed in the chroot dir by having
these lines in the sshd_config file...
Match group sftp
X11Forwarding no
AllowTcpForwarding no
ChrootDirectory /home/%u
ForceCommand internal-sftp -f LOCAL3 -l INFO
Now, in rsyslog.conf, we tell syslog to write all local3 to the mysql
db...
$ModLoad /lib64/rsyslog/ommysql.so
local3.* :ommysql:db_server,db_name,user_name,passwd
So, users, not in group sftp, sftp session were successfully logged in
the DB, but sftp group users (jailed) were not...
I think I may just have to tail the log file and pipe the info in the
database using my own script...I guess I was hoping to keep things
simple...but just not a lot of info I can find on ommysql...
your problem has nothing to do with ommysql
your problem has to do with your ssh server.
you need to find out where is it writing it's logs and why it's not
writing them to /dev/log. the user logins are handled by the sshd server
that's not running in the chroot, so it should write to /dev/log.
now, you invoke the command internal-sftp, but I have no idea what that
is or how it works. is it something you wrote?
David Lang
Thx for all your help!
Tim
On Wed, July 27, 2016 1:09 pm, David Lang wrote:
why is a chroot involved with rsyslog or the database? are you
running a second copy of rsyslog inside the chroot?
David Lang
On Wed, 27 Jul 2016, lai wrote:
Date: Wed, 27 Jul 2016 12:25:52 -0600
From: lai <[email protected]>
Reply-To: rsyslog-users <[email protected]>
To: rsyslog-users <[email protected]>
Subject: Re: [rsyslog] Writing rsyslog message to MySQL in
Changeroot
Environment
Ah...so I now have mysql client working the the chroot environment
and the chroot user was able to connect to the db using the mysql
client, and I also have rsyslog lib inside of it as well...still no
deal as far as loggin to mysql DB with the chroot user...
The doc on ommysql has very limited info...would the creator of it
please chime in on this issue? Or anyone who had done this before.
Please...please...please...thx so much!
Tim
On Tue, July 26, 2016 4:06 pm, Thomas Deutschmann wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
are you familiar with running programs in a chroot environment?
I.e.
you know that you have to provide each SO (library) used by the
program you will be running chrooted?
First I would check that the "mysql" program works in that
environment. I.e. become the user which will run rsyslogd later
and chroot into that environment and try to connect to your
desired mysqld server using the same connection (socket or TCP/IP)
and credentials your rsyslogd will use.
When you are unable to connect to you mysqld there's a problem
with missing dependencies, your linux user maybe don't have the
privileges to access the mysqld socket or establish a TCP/IP
connection, your used credentials could be wrong or the mysql user
is not allowed to connect from that host (check mysql host
restrictions!).
Once you can connect to your mysqld from the chroot environment
using the "mysql" program make sure that all rsyslogd dependencies
are available from that environment like you have done before for
the mysql program (don't forget to check rsyslogd's modules!).
Now rsyslogd should be able to connect to that mysqld, too.
If not run rsyslogd in foreground/with debug output and check
mysqld logs (you need to set "log-warnings = 2" in your mysqld to
log failed login attempts).
- --
Regards,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1
iQJ8BAEBCgBmBQJXl97XXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzM0M1ODQ4MkM0MDIyOTJEMkUzQzVDMDY5
NzA5RjkwQzNDOTZGRkM4AAoJEJcJ+Qw8lv/ICe8QAKG6zjkOVtCuIwKe6uGGHaMO
sKP3CLZScxS1so6pRIwrfQiw2BKho7vZxYOUfHEa3+FRKguYpbIJhwmJs+sz7Nf3
0gGcRTp7udTXPhLDZbjLKc99e4ZcxO6sx7ueIehV9qZEk6+4XXAIxTEVmQOtz4k/
QDxPHXpKx5k/XiQDr/8T5BjZ/JZosxhVZzctK6frr2luvzfakOVY7C96OSzOxqs3
JYUH26lpSsIbWckZfhSLUc660OcysG5cGtLuQ6iYL5c4SGdl4a/92SHjeLD0iJ6Z
7/F9K3fMO7jpK0e8vTBSea5ZylWcE4CrV0IdNCEtV4zv1kURzI3qNiNjN8joNy6+
KaUmx3bUdaTE7XgyPDYKgDGX9r1bik+n7J6LGFjJ+Trqrwh+5oE/tTVY1WBmgiMa
2iK3dNOtoE7OimI5xE0hUl4D10OuZa23WOOa1IV6DFTzBp2EmKPmVEibyWFX2uDc
sRiHhj6jbXiilWnGOgoFre6gv9g/xXL9XvEj8dT6YyNnOyRXXSct4qsZ3Uc9jpiy
HBIRtfVp2EC6qN+xqdlEpwj7iE2x5RUqbGBqxG2h8XdtRelRSMNhoWdaCnjyZhn8
l6riN9A8pTnYMY1JckNnHYJCRpZ9yQo0Gd7VyIPjmBWPKDb7mORs6OGPbIA8e45Y
C+2R9GwSAkCpjk5lMRem
=gM3W
-----END PGP SIGNATURE-----
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
