Hi, David- I confirmed that this is the problem line, by commenting it out. I made the change you suggested, but am still receiving the same error.
Thanks, -Mat ________________________________ Mat Wilson Software Infrastructure Support Engineer Infrastructure Implementation & QA UC Irvine ________________________________________ From: [email protected] [[email protected]] on behalf of David Lang [[email protected]] Sent: Wednesday, June 12, 2013 5:34 PM To: rsyslog-users Subject: Re: [rsyslog] 6.2.0 Configuration issues hmm, looking at the filtering documentation, I'm not seeing the eregex syntax you are trying to use. Instead I'm seeing: re_match(expr, re) - returns 1, if expr matches re, 0 otherwise so I think what you are trying to do would be: if $programname == 'sudo' and $msg contains 'USER=root' and re_match($msg,'COMMAND=/bin/.*sh') then /my/logdirectory/logging/rootshell David Lang On Wed, 12 Jun 2013, David Lang wrote: > Date: Wed, 12 Jun 2013 17:22:58 -0700 (PDT) > From: David Lang <[email protected]> > Reply-To: rsyslog-users <[email protected]> > To: rsyslog-users <[email protected]> > Subject: Re: [rsyslog] 6.2.0 Configuration issues > > just a quick check, try removing the entire eregex section just to make sure > that our problem is in that clause > > i.e. change it to: > > if $programname == 'sudo' and $msg contains 'USER=root' then > /my/logdirectory/logging/rootshell > > before we spend too much time on this, let's make sure we are working the > right problem. > > David Lang > > On Thu, 13 Jun 2013, Mathew Wilson wrote: > >> Date: Thu, 13 Jun 2013 00:53:54 +0000 >> From: Mathew Wilson <[email protected]> >> Reply-To: rsyslog-users <[email protected]> >> To: rsyslog-users <[email protected]> >> Subject: Re: [rsyslog] 6.2.0 Configuration issues >> >> Hi, David- I tried that, but I unfortunately received the same error >> message. Thanks for the suggestion, though! >> ________________________________ >> >> Mat Wilson >> Software Infrastructure Support Engineer >> Infrastructure Implementation & QA >> UC Irvine >> >> ________________________________________ >> From: [email protected] [[email protected]] >> on behalf of David Lang [[email protected]] >> Sent: Wednesday, June 12, 2013 4:04 PM >> To: rsyslog-users >> Subject: Re: [rsyslog] 6.2.0 Configuration issues >> >> On Wed, 12 Jun 2013, Mathew David Wilson wrote: >> >>> Hello, all- >>> >>> The folks at the IRC channel on freenode referred me here. Can anyone tell >>> me what is wrong with my config file? Nothing is getting logged, and >>> rsyslog is throwing an error. Before anyone suggests it, I can't deviate >>> from the version in the Solaris repositories- otherwise I would do 7.4 . >>> >>> The error: >>> rsyslogd: syntax error in expression [try http://www.rsyslog.com/e/2051 ] >>> rsyslogd: the last error occured in /etc/rsyslog.conf, line 16:"if >>> $programname == 'sudo' and $msg contains 'USER=root' and $msg eregex >>> "COMMAND=/bin/.*sh" then /adm/tmp/mdwilson-workspace/logging/rootshell" >>> rsyslogd: warning: selector line without actions will be discarded >>> rsyslogd: CONFIG ERROR: could not interpret master config file >>> '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2124 ] >>> >>> The config file: >>> >>> ##Global Directives >>> $MaxMessageSize 8192 >>> $MainMsgQueueDiscardMark 200 >>> $MainMsgQueueDequeueBatchSize 0 >>> >>> ##Load UDP and Solaris Logging modules >>> $ModLoad imudp >>> $ModLoad imsolaris >>> >>> ##Start UDP Logging for log4j >>> $UDPServerAddress 127.0.0.1 >>> $UDPServerRun 514 >>> >>> if $programname == 'sudo' and $msg contains 'USER=root' then /my/ >>> logdirectory/logging/allroot >>> >>> if $programname == 'sudo' and $msg contains 'USER=root' and $msg eregex >>> "COMMAND=/bin/.*sh" then /my/logdirectory/logging/rootshell >>> >>> if $programname == 'httpd' and $syslogfacility-text == 'local7' then >>> /my/ >>> logdirectory/logging/apache >>> >>> local5.* /my/logdirectory/logging/local5 >>> *.* /my/logdirectory/logging/all >>> *.* /my/logdirectory/logging/all2 >>> >>> >>> Config paste included for readability. >>> http://pastebin.com/P9P6BMSR<https://exchange.uci.edu/owa/redir.aspx?C=Opx44D53dEqKFRMsokWjFiCVUbYfO9AILXmCYI00fK7-gXOu1Tnmedzl6wFy4W8Dqji2Hi0Gbe4.&URL=http%3a%2f%2fpastebin.com%2fP9P6BMSR> >>> >>> Thanks! >> >> That version is picky about ' vs " try changing the " in that line to ' and >> see >> if you keep getting the error. >> >> David Lang >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T >> LIKE THAT. >> > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
