Hi David,
I've attached the full config with some redacted parts such as IPs. I hope that helps. -- Kees de Jong | Supercomputing | https://www.surf.nl/en/about-surf OpenPGP fingerprint: 0x0E45C98AB51428E6 On Tue, 2024-03-19 at 07:39 -0700, David Lang wrote: > please post your full configs, it's likely that there are other > things in the > config that are causing issues. > > note that when you are within an if statement, you don't need to do > the &, just > a bare stop will apply to everything that the if matched. > > David Lang > > On Tue, 19 Mar 2024, Kees de Jong via rsyslog wrote: > > > Date: Tue, 19 Mar 2024 13:09:01 +0000 > > From: Kees de Jong via rsyslog <[email protected]> > > To: "[email protected]" <[email protected]> > > Cc: Kees de Jong <[email protected]> > > Subject: [rsyslog] Bash history --> rsyslog relay --> Elastic > > > > Hi, > > > > > > I want to collect Bash history and forward it to my Elastic > > cluster. I > > have a central rsyslog server in my cluster, which receives logs > > already and forwards some to another rsyslog server. > > > > I use the Bash `shopt -s syslog_history` option on Red Hat. On the > > nodes in my cluster I forward the logs to the central rsyslog > > logserver. Which looks like this: > > > > if $programname == '-bash' or $programname == 'bash' and $msg > > contains > > 'HISTORY:' then { > > @x.x.x.x:514 > > & stop > > } > > > > The central logserver has a Fleet Agent running, which runs an UDP > > listener integration on 127.0.0.1 on UDP 10514. This integration > > has > > syslog parsing enabled. > > > > I can send data from a node to the central rsyslog server. In > > tcpdump I > > see the messages send from another node. On the central rsyslog > > server > > I have the following setup: > > > > if $programname == '-bash' or $programname == 'bash' and $msg > > contains > > 'HISTORY:' then { > > @127.0.0.1:10514 > > & stop > > } > > > > Which forwards the logs to the local Elastic Fleet Agent. However, > > logs > > send from a node in my cluster is not forwarded by the central > > rsylog > > server to the local Fleet port. When I enable the Bash syslog > > option on > > the central log server it does forward the local Bash history to > > the > > Elastic cluster. But it doesn't forward the data received from the > > nodes in my cluster. > > > > What am I missing? Other logs are forwarded to another syslog > > server > > just fine. So the setup should work I guess? That forwarding is > > done > > like this: > > > > if ($syslogfacility-text == ['auth','authpriv'] and ($programname > > contains 'ssh')) then @y.y.y.y:514 > > > > So maybe the filter for receiving relayed Bash history messages is > > wrong? Since it does work fine for locally generated logs. And > > other > > type of logs are forwarded just fine. > > > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT > POST if you DON'T LIKE THAT.
# rg -ov '^#' ../rsyslog.conf *
99_stop-remote.conf
1::fromhost-ip, contains, "y.y" stop
98_footsteps.conf
1:if ($syslogfacility-text == ['auth','authpriv'] and ($programname contains
'ssh')) then @x.x.x.x:514
90_local.conf
1:template(name="auditd" type="string" string="/rsyslog/%fromhost%/audit_log")
2:template(name="LogStore" type="string" string="/rsyslog/%fromhost%/log")
3:
4:template(name="temp" type="list") {
5: property(name="timestamp" dateformat="unixtimestamp")
6: constant(value=" ")
7: property(name="$year")
8: constant(value=" ")
9: property(name="timestamp" dateformat="rfc3164")
10: constant(value=" ")
11: property(name="hostname")
12: constant(value=" ")
13: property(name="syslogfacility-text")
14: constant(value=" ")
15: property(name="syslogseverity-text")
16: constant(value=" ")
17: property(name="app-name")
18: constant(value=" ")
19: property(name="msg")
20: constant(value="\n")
21:}
22:
23::syslogtag, isequal, "auditd:" ?auditd;temp
24:& stop
25:
26:*.* ?LogStore;temp
27:input(type="imtcp" port="514")
10-firewalld.conf
1::msg,contains,"_DROP" /var/log/firewalld
2::msg,contains,"_REJECT" /var/log/firewalld
3:& stop
01-bash-syslog.conf
1:if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
2: #action(type="omfwd" Target="127.0.0.1" Port="10514" Protocol="udp")
3: @127.0.0.1:10514
4: & stop
5:}
00-load-modules.conf
1:module(load="imtcp" MaxSessions="5000")
00-imuxsock.conf
2:module(load="imuxsock" SysSock.Name="/dev/log")
../rsyslog.conf
2:
6:
8:
11: # local messages are retrieved through imjournal now.
16:
21:
26:
28:
30:global(workDirectory="/var/lib/rsyslog")
31:
33:module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
34:
36:include(file="/etc/rsyslog.d/*.conf" mode="optional")
37:
39:
43:
46:*.info;mail.none;authpriv.none;cron.none /var/log/messages
47:
49:authpriv.* /var/log/secure
50:
52:mail.* -/var/log/maillog
53:
54:
56:cron.* /var/log/cron
57:
59:*.emerg :omusrmsg:*
60:
62:uucp,news.crit /var/log/spooler
63:
65:local7.* /var/log/boot.log
66:
67:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
