As this is an event generated by a process external to the rsyslog itself you don't have access to its environment variables. If something isn't passed in the contents of the event you cannot recreate it from thin air. BTW sudo should be logging which user is doing sudo (and you should be granting sudo according to the least privileges principle)
Dnia 6 maja 2024 13:34:32 CEST, Kees de Jong via rsyslog <rsyslog@lists.adiscon.com> napisał/a: >Hi, > > > >I want to include the variable $SUDO_USER to an rsyslog template. Is >that even possible? The reason I want to include is because the >`syslog_history` shell option allows sending Bash commands through >rsyslog, but it contains only info as shown below: > >May 2 16:32:55 computer1 -bash[1982667]: HISTORY: PID=1982667 >UID=414223 ls > >If the above would be e.g. UID=0 (root), because someone became root, >then it would be good to know in the logging who became root. By >including the $SUDO_USER variable, I can relate a root shell to the >actual user. I can't seem to find this in the docs, the only variable >stuff I can find is for including configurations, not system variables. > > >-- >Kees de Jong | Supercomputing | https://www.surf.nl/en/about-surf >OpenPGP fingerprint: 0x0E45C98AB51428E6 -- Wysłane za pomocą K-9 Mail. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.