I need to log the year in the log message generated by syslog daemon. In particular in the /var/log/secure file. Is it possible?
Here an example of normal syslog message:
Feb 16 04:06:58 HOST sshd[28573]: Accepted password for USER from SOURCE port 7269 ssh2
And I need something similar to:
Feb 16 2011 04:06:58 HOST sshd[28573]: Accepted password for USER from SOURCE port 7269 ssh2
Thanks in advance.
If you use rsyslog, it is easy. Refer to following:
Modify /etc/rsyslog.conf to following:
...
authpriv.* /var/log/secure;RSYSLOG_FileFormat
...
And then asking rsyslog daemon to reload configuration:
$ kill -HUP <pid of rsyslog daemon>
More reference :
http://www.rsyslog.com/doc/rsyslog_recording_pri.html
http://www.rsyslog.com/doc/rsyslog_conf_modules.html/rsyslog_conf_templates.html
syslog-ng has the ts_format() option to specify the default timestamp format for files. it is set to iso format by default, which includes the year.
you can also configure file formats using the template() option.
If your syslog respects RFC 3164 (The BSD Syslog Protocol), then you cannot configure it to record the year. Unless you have a modern syslog daemon that follows RFC 5424 (rsyslog or syslog-ng) you cannot do that.
If you can't alter the syslog on the system itself, maybe you could setup syslog to send it to a remote system with a better syslog daemon?
Related
How to send a message to rsyslog deamon programmatically (from a custom program)?
In the syslog there are openlog...syslog...closelog functions available. But how can i do it in case of rsyslog?
rsyslog is a central log program.
You could cat /etc/rsyslog.conf to watch how your rsyslog is configured.
Default configuration use imuxsock and imjournal.
imuxsock module actually listen like /dev/log or /run/systemd/journal/syslog. This means you could use syslog(3) man 3 syslog or cmd logger 123 to write log into /var/log/messages.
imjournal means rsyslog read log from systemd-journald(/var/log/journal/$(uuid)/*.journal. You could use sd-journal(3) api or journal cmd like echo 123 | systemd-cat to write to journal, and then rsyslog read log from it. you can see journal with journalctl -e to see the newest journal.
I'm trying to redirect my syslog to a server located in 192.168.56.5.
In the first machine(not the server) I added this line to rsyslog.conf
local0.info ##192.168.56.5
Then in the server machine I changed the first lines to allow UDP connection by removing the '#' from
$ModLoad imupd
$UPDServerRun 514
Then added the line
local0.info /var/log/monitorizacion
If I run logger -n 192.168.56.5 -p local0.info "msg" it works and adds a line to /var/log/monitorizacion but if I only do logger -p local0.info "msg", that should work exactly as the previous command, does not work.
Why is this happening?
EDIT: Debian OS: debian-8.3.0-i386
Rsyslog: rsyslogd 8.4.2
You may have misspelt the directive, I think it should be:
$ModLoad imudp
$UDPServerRun 514
However, since you said that all you did was remove the # from rsyslog.conf, it's possible that your rsyslog.conf file is correct, and you just misspelt it here?
Might as well include the port too, but I think the way you have it is fine as the default UDP port is 514. Also, try a single # instead of ##. I believe the first is for UDP while the latter is for TCP:
local0.info #192.168.56.5:514
Also, I'd restart the rsyslog service on both machines to be safe after you change the configuration files. If neither of these help, please update your question and be specific on what machines each logger command is run from. I'm not sure how that first logger command you wrote works:
logger -n 192.168.56.5 -p local0.info -p "msg"
I don't think that second -p should be there, as "msg" is not a priority.
I tried to search this in many places and also documents/man pages of openlog(), syslog(0, rsyslogd(8) but couldn't find answer for this.
My question is, if rsyslogd is stopped or not yet started, then do the new syslog messages get lost? Or rsyslogd fetches them from /dev/log later when it's enabled?
My test is:
On a running system, rsyslog is running. Now, do the following:
logger -p local7.notice "my custom message1"
grep message1 | /var/log/messages ----> Success
Stop rsyslogd process
logger -p local7.notice "My other custom message2"
now, start the rsyslogd daemon
grep message2 | /var/log/messages ----> FAIL
I understand from openlog(3) and syslog(3) man pages that a socket is opened for /dev/log file and if there is an error while sending the message to syslog (as rsyslogd is not running) then the connection is closed (and message is printed on console/stderror if you have used LOG_CONS/LOG_PERROR).
Could anybody please tell me:
Is there any way rsyslogd to get all those messages came in absence of it in syslog file when it comes up?
If not by default, is there any syscall, command,etc.etc.way to do that??
Thank you in advance.
-Neo
It won't happen by default. You can use the 'cat' command and pipe it to logger to get them in, though. Something like the following should work.
cat your.log | logger -n yourserver
You can also use the 'tail' command similarly to 'cat'.
Is there anyway we can change the date format in a particular log file being logged to by syslog? I don't want to change the way all logs are being logged, but just by log file.
EDIT: I'm using syslogd (in FreeBSD)
This is how my file looks like now:
Dec 5 07:52:10 Log data 1
Dec 5 07:52:10 Log data 2
Dec 5 07:52:10 Log data 3
This is how I want it to look like:
20131205 07:52:10 Log data 1
20131205 07:52:10 Log data 2
20131205 07:52:10 Log data 3
My syslog.conf looks like this, where /var/log/my_log.log is my logfile:
+#
*.notice;local0.none;local1.none;local2.none;authpriv.none;kern.debug;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
mail.info /var/log/maillog
ftp.info /var/log/xferlog
cron.* /var/log/cron
*.=debug /var/log/debug.log
console.info /var/log/console.log
local1.info /var/log/my_log.log
Even if you found a different solution, I give an answer for others.
Edit your syslog configuration file (On Debian for example: /etc/syslog-ng/syslog-ng.conf).
Then declare a new template like this :
template template_date_format {
template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${HOST} ${MSGHDR}${MSG}\n");
template_escape(no);
};
This is an example but you can use different macros according to syslog documentation linked in user9645's answer.
After that, find in this configuration file, all the files you want to change the output format and apply this template to them.
For example, I want to change /var/log/auth.log output format, then I change :
destination d_auth { file("/var/log/auth.log"); };
to :
destination d_auth { file("/var/log/auth.log" template(template_date_format)); };
Then restart syslog (service syslog-ng restart) and try a login to see the changes in your auth.log.
There are always a new options for the date problem, adding just a couple of lines.
My solution comes adding a file to /etc/rsyslog.d/, for example myrsyslog.conf, then add the format of your choice, mine is:
$template myformat,"%TIMESTAMP:1:10:date-rfc3339% %TIMESTAMP:19:12:date-rfc3339% %syslogtag%%msg%\n"
$ActionFileDefaultTemplate myformat
this will apply the new format to your logs making it easy to parse.
before
Sep 3 12:52:37 whs dhcpcd[477]: wlan0: expired address ...
Sep 3 12:52:37 whs dhcpcd[477]: wlan0: part of Router Advertisement expired
Sep 3 12:52:37 whs dhcpcd[477]: wlan0: deleting route to ...
after
2020-09-03 13:00:49 systemd[1]: rsyslog.service: Succeeded.
2020-09-03 13:00:49 systemd[1]: Stopped System Logging Service.
2020-09-03 13:00:49 systemd[1]: Starting System Logging Service...
I had the same issue using FreeBSD 9.2 and Zabbix system monitor GUI which cannot handle things like 'Jan' or 'Feb' in the date stamp (!) on the system log messages.
What I did was install the sysutils/syslog-ng port, and use the convert-syslogconf.awk script to migrate my /etc/syslog.conf to /usr/local/etc/syslog-ng.conf (which thankfully seemed to work well with even a fairly complex config) and added this custom formatting template to all the file() destinations:
template t_msgfmt {
template("${ISODATE} ${HOST} ${FACILITY} ${LEVEL} ${MSGHDR}${MSG}\n");
template_escape(no);
};
You can find (lots) more formatting info in the syslog-ng manual section 11.1. It is working good for me (so far) hope it helps you!
I ended up using an awk script to run through the log file and replace the date field
awk '{getDate="date -j -f \"%b %d %H:%M:%S\" \""$1" "$2" "$3"\" \"+%Y%m%d %H:%M:%S\""
while ( ( getDate | getline date ) > 0 ) { }
close(getDate);
print date,$2,$3,$4,$5}' Temp1 > Temp2
Many years later rsyslog has replaced syslogd and this has gotten super easy:
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
Comment out that one line and done.
I'm trying to write a script that informs the user when someone has logged in on the machine via ssh.
My current idea is to parse the output of "w" using grep in intervals.
But that's neither elegant nor performant. Has anyone got a better idea how to implement such a program?
Any help would really be appreciated!
Paul Tomblin has the right suggestion.
Set up logging in your sshd_config to point to a syslog facility that you can log separately:
=> see man 3 syslog for more facilities. Choose one like e.g.
# Logging
SyslogFacility local5
LogLevel INFO
Then set up your syslog.conf like this:
local5.info |/var/run/mysshwatcher.pipe
Add the script you're going to write to /etc/inittab so it keeps running:
sw0:2345:respawn:/usr/local/bin/mysshwatcher.sh
then write your script:
#!/bin/sh
P=/var/run/mysshwatcher.pipe
test -p $P || mkfifo $P
while read x <$P; do
# ... whatever, e.g.:
echo "ssh info: $x" | wall
done;
Finally, restart your syslogd and get your inittab reloaded (init q) and it should work. If other variantes of these services are used, you need to configure things accordingly (e.g. newsyslogd => /etc/newsyslog.conf; Ubuntu: /etc/event.d isntead of inittab)
This is very rudimentary and lacking, but should be enough to get you started ...
more info: man sshd_config for more logging options/verbosity.
On Ubuntu (and I'd guess all other Debian distros, if not all Linuces), the file /var/log/auth.log records successful (and unsuccessful) login attempts:
sshd[XXX]: pam_unix(sshd:session): session opened for user XXX
You could set up a very simple monitor using this command (note that you have to be root to see the auth log):
sudo tail -F /var/log/auth.log | grep sshd
If you do not care how they logged in (telnet/ssh), the 'last' Unix command line utility shows you the last few logins in the machine. Remote users will show the IP address
[root#ex02 www]# last
foo pts/1 81.31.x.y Sun Jan 18 07:25 still logged in
foo pts/0 81.31.x.y Sun Jan 18 01:51 still logged in
foo pts/0 81.31.x.y Sat Jan 17 03:51 - 07:52 (04:00)
bar pts/5 199.146.x.y Fri Jan 16 08:57 - 13:29 (04:32
Set up a named pipe, and set up a log file parser to listen to it, and send the ssh messages to it. The log file parser can do what you want, or signal to a daemon to do it.
Redirecting the log file is done in a config file in /etc/ whose name escapes me right now. /etc/syslog.conf, I think.
I have made a program (which i call Authentication Monitor) that solves the task described in the question.
If you wanted to, you are more than welcome to download it to investigate how I solve this problem (using log-files).
You can find Authentication Monitor freely available here: http://bwyan.dk/?p=1744
We had the same problem, so we wrote our own script.
It can be downloaded from the github.
Hope it helps :)
cheers!
Ivan