Page 1 of 1
Adding random logs/files question
Posted: Wed Sep 21, 2016 11:42 am
by BanditBBS
Ok, we have sudo-io installed on a list of hosts that stores any sudo sessions. I want to send all these files to NLS, but not sure if this is possible because of the random folders.
Folders will look like this:
Code: Select all
/var/log/sudo-io/user1
/var/log/sudo-io/user2
/var/log/sudo-io/user3
With userx replaced by the actual username of the admin.
Then, under each folder, stuff looks like this:
Capture.PNG
Is this possible?
Re: Adding random logs/files question
Posted: Wed Sep 21, 2016 11:54 am
by rkennedy
With newer versions of rsyslog, you should be able to do wildcard matching for files (8.5+), however it does not support wildcard directories, so you would need to manually add each user folder and 01 - 0A folder manually.
See -
http://www.rsyslog.com/doc/master/confi ... mfile.html and
http://www.slideshare.net/rainergerhard ... tor-imfile for references
Re: Adding random logs/files question
Posted: Wed Sep 21, 2016 12:51 pm
by BanditBBS
That's not going to work since anytime someone got hired we'd have to remember, and well, human interaction sucks and people forget! Also, not that I spent time on this I get told those aren't plain text files anyway.
So now I am just researching a way to get commands typed written to the syslog.....any easy hints appreciated, finding some crazy links so far
Re: Adding random logs/files question
Posted: Wed Sep 21, 2016 2:07 pm
by mcapra
With my testing environment, it looks like a fairly sizable amount of paths even if we're just accounting for the bottom log file of each tree.
One way to do this might be with a cron job that grabs the output of sudoreplay -l and ships the events that happened in the last (now - cron_interval) either to /var/log/messages via logger or directly to NLS via netcat.