0

I've configured audit server to forward the logs to a centralized rsyslog server. Is there a way to configure the server type or something unique to a group of servers in the log message? I've set the name_format to "user" and name to be a unique string but this one only shows up in the audit logs but not in the rsyslog. I've listed the audit and rsyslog messages below.

audit: node=TEST_SRVR type=USER_END msg=audit(xxx.xx:2719): user pid=7589 uid=0 auid=0 ses=394 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Central rsyslog: XXX:audispd user x.x.x.x Oct 23 15:55:02 6 node=x.x.x.x type=USER_END msg=audit(xxx.xx:2719): user pid=7589 uid=0 auid=0 ses=394 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

Value of "node" is different in the two logs. Is there a way to replace "audispd user" with a unique string?

Thanks.

R. Puram
  • 51
  • 1
  • 3

1 Answers1

0

Yes, you can use templates for this, to format your messages as you want. By default, an RFC3164 template is used (this one), but you can, for example, prepend the "msg" part with whatever constant or property you want. It could be constant(value="test_group ") for example.

Note that the verbose way of defining templates is valid in rsyslog 7.x or later. Scroll down for the legacy format, though I'd really recommend upgrading.

Though if you want to move structured logs around, it may be worth forwarding them in JSON and/or making rsyslog parse unstructured data into JSON, so that you can use pieces of this JSON in templates and conditionals as you like. I've linked two articles with some examples.

Radu Gheorghe
  • 564
  • 4
  • 8