please post your full configs, it's likely that there are other things in the
config that are causing issues.
note that when you are within an if statement, you don't need to do the &, just
a bare stop will apply to everything that the if matched.
David Lang
On Tue, 19 Mar 2024, Kees de Jong via rsyslog wrote:
Date: Tue, 19 Mar 2024 13:09:01 +0000
From: Kees de Jong via rsyslog <rsyslog@lists.adiscon.com>
To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
Cc: Kees de Jong <kees.dej...@surf.nl>
Subject: [rsyslog] Bash history --> rsyslog relay --> Elastic
Hi,
I want to collect Bash history and forward it to my Elastic cluster. I
have a central rsyslog server in my cluster, which receives logs
already and forwards some to another rsyslog server.
I use the Bash `shopt -s syslog_history` option on Red Hat. On the
nodes in my cluster I forward the logs to the central rsyslog
logserver. Which looks like this:
if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
@x.x.x.x:514
& stop
}
The central logserver has a Fleet Agent running, which runs an UDP
listener integration on 127.0.0.1 on UDP 10514. This integration has
syslog parsing enabled.
I can send data from a node to the central rsyslog server. In tcpdump I
see the messages send from another node. On the central rsyslog server
I have the following setup:
if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
@127.0.0.1:10514
& stop
}
Which forwards the logs to the local Elastic Fleet Agent. However, logs
send from a node in my cluster is not forwarded by the central rsylog
server to the local Fleet port. When I enable the Bash syslog option on
the central log server it does forward the local Bash history to the
Elastic cluster. But it doesn't forward the data received from the
nodes in my cluster.
What am I missing? Other logs are forwarded to another syslog server
just fine. So the setup should work I guess? That forwarding is done
like this:
if ($syslogfacility-text == ['auth','authpriv'] and ($programname
contains 'ssh')) then @y.y.y.y:514
So maybe the filter for receiving relayed Bash history messages is
wrong? Since it does work fine for locally generated logs. And other
type of logs are forwarded just fine.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
