Hi,
I want to collect Bash history and forward it to my Elastic cluster. I
have a central rsyslog server in my cluster, which receives logs
already and forwards some to another rsyslog server.
I use the Bash `shopt -s syslog_history` option on Red Hat. On the
nodes in my cluster I forward the logs to the central rsyslog
logserver. Which looks like this:
if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
@x.x.x.x:514
& stop
}
The central logserver has a Fleet Agent running, which runs an UDP
listener integration on 127.0.0.1 on UDP 10514. This integration has
syslog parsing enabled.
I can send data from a node to the central rsyslog server. In tcpdump I
see the messages send from another node. On the central rsyslog server
I have the following setup:
if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
@127.0.0.1:10514
& stop
}
Which forwards the logs to the local Elastic Fleet Agent. However, logs
send from a node in my cluster is not forwarded by the central rsylog
server to the local Fleet port. When I enable the Bash syslog option on
the central log server it does forward the local Bash history to the
Elastic cluster. But it doesn't forward the data received from the
nodes in my cluster.
What am I missing? Other logs are forwarded to another syslog server
just fine. So the setup should work I guess? That forwarding is done
like this:
if ($syslogfacility-text == ['auth','authpriv'] and ($programname
contains 'ssh')) then @y.y.y.y:514
So maybe the filter for receiving relayed Bash history messages is
wrong? Since it does work fine for locally generated logs. And other
type of logs are forwarded just fine.
--
Kees de Jong | Supercomputing | https://www.surf.nl/en/about-surf
OpenPGP fingerprint: 0x0E45C98AB51428E6
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
