Hi,
I've reset the rsyslog configuration on the rsyslog server to the Red
Hat default and confirmed it with `rpmverify`, I'm running version
rsyslog-8.2102.0-7.el8_6.1.x86_64.
Then I only added the config to receive and process the Bash history
logs:
cat /etc/rsyslog.d/00-a.conf
if $programname == '-bash' or $programname == 'bash' and $msg contains
'HISTORY:' then {
@127.0.0.1:10514
/var/log/bash-history.log
& stop
}
The default /etc/rsyslog.conf (without comments) is shown below:
# rg -v '^#' /etc/rsyslog.conf
2:
6:
8:
9:module(load="imuxsock" # provides support for local system
logging (e.g. via logger command)
10: SysSock.Use="off") # Turn off message reception via local log
socket;
11: # local messages are retrieved through
imjournal now.
12:module(load="imjournal" # provides access to the systemd
journal
13: StateFile="imjournal.state") # File to store the position in
the journal
16:
21:
26:
28:
30:global(workDirectory="/var/lib/rsyslog")
31:
33:module(load="builtin:omfile"
Template="RSYSLOG_TraditionalFileFormat")
34:
36:include(file="/etc/rsyslog.d/*.conf" mode="optional")
37:
39:
43:
46:*.info;mail.none;authpriv.none;cron.none
/var/log/messages
47:
49:authpriv.*
/var/log/secure
50:
52:mail.* -
/var/log/maillog
53:
54:
56:cron.*
/var/log/cron
57:
59:*.emerg :omusrmsg:*
60:
62:uucp,news.crit
/var/log/spooler
63:
65:local7.*
/var/log/boot.log
66:
67:
As you can see, I both forward the logs to a local UDP socket and a
local file. I also commented out one of them each time, to make sure
there is no issue with either the socket or file setup.
When I run a `tcpdump` on the rsyslog server, I do see that the
messages are coming in from the client:
10:49:00.007063 IP (tos 0x0, ttl 64, id 30789, offset 0, flags [DF],
proto UDP (17), length 98)
x.x.x.x.50145 > y.y.y.y.syslog: SYSLOG, length: 70
Facility user (1), Severity info (6)
Msg: Mar 25 10:48:59 rsyslogclient -bash[398711]: HISTORY:
PID=398711 UID=0 ls
However, the rsyslog server does not process these logs. The receiving
server forwards the logs to a local socket which is setup with
`netcat`, it does not show any output of messages. The local log file
remains empty as well. It's writable by anyone (-rw-rw-rw- 1 root root
0 Mar 25 10:52 /var/log/bash-history.log)
I've ran the same setup also on a VM with Fedora with version rsyslog-
8.2310.0-1.fc39.x86_64, with that version and setup it works fine.
Could it be that there is a syntax change somewhere? Or maybe something
else is wrong here? If it could be a syntax issue, what change could I
test?
Just to summarize:
* The client is able to forward the Bash history messages through
syslog.
* The server receives these messages as well.
* However, for some reason it does not match with the filter and thus
no action is taken by rsyslog to forward it to either a local socket or
a local file.
--
Kees de Jong | Supercomputing | https://www.surf.nl/en/about-surf
OpenPGP fingerprint: 0x0E45C98AB51428E6
On Wed, 2024-03-20 at 08:54 +0000, Kees de Jong via rsyslog wrote:
> Hi David,
>
>
> I've attached the full config with some redacted parts such as IPs. I
> hope that helps.
>
>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
