我正在尝试为 audispd 日志设置属性基础过滤,这是我目前所拥有的
- SLES11 RSYSLOG v5
- RHEL6 RSYSLOG v5
RHEL5 RSYSLOG v3
rsyslogd:[原始软件=“rsyslogd”swVersion=“3.22.1”x-pid=“15913”x-info=“http://www.rsyslog.com”](重新)启动
我在 SLES11 和 RHEL5 上进行了如下配置:
#cat /etc/rsyslog.d/audispd.conf
:msg, contains, "audispd:" ~
# Send a copy to remote log
auth,user,authpriv.=info @10.10.10.23.com:514
& ~
上述配置对 v5 来说很好用,但对 v3 却不行。我到处搜索,但找不到任何会导致问题的东西,因为同样的配置不适用于 RHEL5
编辑:2015/12/23
来自我的 rsyslog 版本 3 的一些调试日志,
9962.270590000:imuxsock.c: --------imuxsock calling select, active file descriptors (max 12): 12
9962.270777000:main queue:Reg/w0: main queue: entering rate limiter
9962.270788000:main queue:Reg/w0: main queue: entry deleted, state 0, size now 0 entries
9962.270805000:main queue:Reg/w0: Called action, logging to builtin-file
9962.270828000:main queue:Reg/w0: (/var/log/messages)
9962.270924000:main queue:Reg/w0: main queue: entering rate limiter
9962.270933000:main queue:Reg/w0: main queue:Reg/w0: worker IDLE, waiting for work.
9962.274862000:imuxsock.c: Message from UNIX socket: #12
9962.274876000:imuxsock.c: dropped LF at very end of message (DropTrailingLF is set)
9962.274891000:imuxsock.c: logmsg: flags 4, from 'hostname', msg Dec 23 11:06:02 audispd: node=hostname type=USER_END msg=audit(1450839962.265:1731474): user pid=9687 uid=0 auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
9962.274897000:imuxsock.c: Message has legacy syslog format.
9962.274906000:imuxsock.c: main queue: entry added, size now 1 entries
9962.274913000:imuxsock.c: wtpAdviseMaxWorkers signals busy
9962.274920000:imuxsock.c: main queue: EnqueueMsg advised worker start
我甚至测试过这个:
if $programname == "audispd" then /var/log/audispd.log
也不起作用
谢谢