I'm trying to set up a property base filtering for audispd log, this is what I have currently
- SLES11 RSYSLOG v5
- RHEL6 RSYSLOG v5
RHEL5 RSYSLOG v3
rsyslogd: [origin software="rsyslogd" swVersion="3.22.1" x-pid="15913" x-info="http://www.rsyslog.com"] (re)start
I have this configured on my SLES11 and RHEL5:
#cat /etc/rsyslog.d/audispd.conf
:msg, contains, "audispd:" ~
# Send a copy to remote log
auth,user,authpriv.=info @10.10.10.23.com:514
& ~
above configuration work just fine for v5, but it does not work on v3. I have been searching around I can't find anything that would cause the problem as same config will not work with RHEL5
EDIT: 23/12/2015
some debug log from my rsyslog version 3,
9962.270590000:imuxsock.c: --------imuxsock calling select, active file descriptors (max 12): 12
9962.270777000:main queue:Reg/w0: main queue: entering rate limiter
9962.270788000:main queue:Reg/w0: main queue: entry deleted, state 0, size now 0 entries
9962.270805000:main queue:Reg/w0: Called action, logging to builtin-file
9962.270828000:main queue:Reg/w0: (/var/log/messages)
9962.270924000:main queue:Reg/w0: main queue: entering rate limiter
9962.270933000:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, waiting for work.
9962.274862000:imuxsock.c: Message from UNIX socket: #12
9962.274876000:imuxsock.c: dropped LF at very end of message (DropTrailingLF is set)
9962.274891000:imuxsock.c: logmsg: flags 4, from 'hostname', msg Dec 23 11:06:02 audispd: node=hostname type=USER_END msg=audit(1450839962.265:1731474): user pid=9687 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
9962.274897000:imuxsock.c: Message has legacy syslog format.
9962.274906000:imuxsock.c: main queue: entry added, size now 1 entries
9962.274913000:imuxsock.c: wtpAdviseMaxWorkers signals busy
9962.274920000:imuxsock.c: main queue: EnqueueMsg advised worker start
I even tested this:
if $programname == "audispd" then /var/log/audispd.log
does not work either
Thanks
