Hi David,
I've attached the full config with some redacted parts such as IPs. I hope that helps. -- Kees de Jong | Supercomputing | https://www.surf.nl/en/about-surf OpenPGP fingerprint: 0x0E45C98AB51428E6 On Tue, 2024-03-19 at 07:39 -0700, David Lang wrote: > please post your full configs, it's likely that there are other > things in the > config that are causing issues. > > note that when you are within an if statement, you don't need to do > the &, just > a bare stop will apply to everything that the if matched. > > David Lang > > On Tue, 19 Mar 2024, Kees de Jong via rsyslog wrote: > > > Date: Tue, 19 Mar 2024 13:09:01 +0000 > > From: Kees de Jong via rsyslog <rsyslog@lists.adiscon.com> > > To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com> > > Cc: Kees de Jong <kees.dej...@surf.nl> > > Subject: [rsyslog] Bash history --> rsyslog relay --> Elastic > > > > Hi, > > > > > > I want to collect Bash history and forward it to my Elastic > > cluster. I > > have a central rsyslog server in my cluster, which receives logs > > already and forwards some to another rsyslog server. > > > > I use the Bash `shopt -s syslog_history` option on Red Hat. On the > > nodes in my cluster I forward the logs to the central rsyslog > > logserver. Which looks like this: > > > > if $programname == '-bash' or $programname == 'bash' and $msg > > contains > > 'HISTORY:' then { > > @x.x.x.x:514 > > & stop > > } > > > > The central logserver has a Fleet Agent running, which runs an UDP > > listener integration on 127.0.0.1 on UDP 10514. This integration > > has > > syslog parsing enabled. > > > > I can send data from a node to the central rsyslog server. In > > tcpdump I > > see the messages send from another node. On the central rsyslog > > server > > I have the following setup: > > > > if $programname == '-bash' or $programname == 'bash' and $msg > > contains > > 'HISTORY:' then { > > @127.0.0.1:10514 > > & stop > > } > > > > Which forwards the logs to the local Elastic Fleet Agent. However, > > logs > > send from a node in my cluster is not forwarded by the central > > rsylog > > server to the local Fleet port. When I enable the Bash syslog > > option on > > the central log server it does forward the local Bash history to > > the > > Elastic cluster. But it doesn't forward the data received from the > > nodes in my cluster. > > > > What am I missing? Other logs are forwarded to another syslog > > server > > just fine. So the setup should work I guess? That forwarding is > > done > > like this: > > > > if ($syslogfacility-text == ['auth','authpriv'] and ($programname > > contains 'ssh')) then @y.y.y.y:514 > > > > So maybe the filter for receiving relayed Bash history messages is > > wrong? Since it does work fine for locally generated logs. And > > other > > type of logs are forwarded just fine. > > > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT.
# rg -ov '^#' ../rsyslog.conf * 99_stop-remote.conf 1::fromhost-ip, contains, "y.y" stop 98_footsteps.conf 1:if ($syslogfacility-text == ['auth','authpriv'] and ($programname contains 'ssh')) then @x.x.x.x:514 90_local.conf 1:template(name="auditd" type="string" string="/rsyslog/%fromhost%/audit_log") 2:template(name="LogStore" type="string" string="/rsyslog/%fromhost%/log") 3: 4:template(name="temp" type="list") { 5: property(name="timestamp" dateformat="unixtimestamp") 6: constant(value=" ") 7: property(name="$year") 8: constant(value=" ") 9: property(name="timestamp" dateformat="rfc3164") 10: constant(value=" ") 11: property(name="hostname") 12: constant(value=" ") 13: property(name="syslogfacility-text") 14: constant(value=" ") 15: property(name="syslogseverity-text") 16: constant(value=" ") 17: property(name="app-name") 18: constant(value=" ") 19: property(name="msg") 20: constant(value="\n") 21:} 22: 23::syslogtag, isequal, "auditd:" ?auditd;temp 24:& stop 25: 26:*.* ?LogStore;temp 27:input(type="imtcp" port="514") 10-firewalld.conf 1::msg,contains,"_DROP" /var/log/firewalld 2::msg,contains,"_REJECT" /var/log/firewalld 3:& stop 01-bash-syslog.conf 1:if $programname == '-bash' or $programname == 'bash' and $msg contains 'HISTORY:' then { 2: #action(type="omfwd" Target="127.0.0.1" Port="10514" Protocol="udp") 3: @127.0.0.1:10514 4: & stop 5:} 00-load-modules.conf 1:module(load="imtcp" MaxSessions="5000") 00-imuxsock.conf 2:module(load="imuxsock" SysSock.Name="/dev/log") ../rsyslog.conf 2: 6: 8: 11: # local messages are retrieved through imjournal now. 16: 21: 26: 28: 30:global(workDirectory="/var/lib/rsyslog") 31: 33:module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat") 34: 36:include(file="/etc/rsyslog.d/*.conf" mode="optional") 37: 39: 43: 46:*.info;mail.none;authpriv.none;cron.none /var/log/messages 47: 49:authpriv.* /var/log/secure 50: 52:mail.* -/var/log/maillog 53: 54: 56:cron.* /var/log/cron 57: 59:*.emerg :omusrmsg:* 60: 62:uucp,news.crit /var/log/spooler 63: 65:local7.* /var/log/boot.log 66: 67:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.