Hello, all- The folks at the IRC channel on freenode referred me here. Can anyone tell me what is wrong with my config file? Nothing is getting logged, and rsyslog is throwing an error. Before anyone suggests it, I can't deviate from the version in the Solaris repositories- otherwise I would do 7.4 .
The error: rsyslogd: syntax error in expression [try http://www.rsyslog.com/e/2051 ] rsyslogd: the last error occured in /etc/rsyslog.conf, line 16:"if $programname == 'sudo' and $msg contains 'USER=root' and $msg eregex "COMMAND=/bin/.*sh" then /adm/tmp/mdwilson-workspace/logging/rootshell" rsyslogd: warning: selector line without actions will be discarded rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ] The config file: ##Global Directives $MaxMessageSize 8192 $MainMsgQueueDiscardMark 200 $MainMsgQueueDequeueBatchSize 0 ##Load UDP and Solaris Logging modules $ModLoad imudp $ModLoad imsolaris ##Start UDP Logging for log4j $UDPServerAddress 127.0.0.1 $UDPServerRun 514 if $programname == 'sudo' and $msg contains 'USER=root' then /my/ logdirectory/logging/allroot if $programname == 'sudo' and $msg contains 'USER=root' and $msg eregex "COMMAND=/bin/.*sh" then /my/logdirectory/logging/rootshell if $programname == 'httpd' and $syslogfacility-text == 'local7' then /my/ logdirectory/logging/apache local5.* /my/logdirectory/logging/local5 *.* /my/logdirectory/logging/all *.* /my/logdirectory/logging/all2 Config paste included for readability. http://pastebin.com/P9P6BMSR<https://exchange.uci.edu/owa/redir.aspx?C=Opx44D53dEqKFRMsokWjFiCVUbYfO9AILXmCYI00fK7-gXOu1Tnmedzl6wFy4W8Dqji2Hi0Gbe4.&URL=http%3a%2f%2fpastebin.com%2fP9P6BMSR> Thanks! -Mat _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
