Is there a way to send all what's going into the MWG 7.3 audit.log via syslog to a central log server?
For the access.log there is the possibility in the loghandler to create a syslog-call using an event. But for the audit.log it seems not possible.
Looks like 7.3 has rsyslog 4.6. I believe that 4.6.x version supports the imfile option and it does appear that the imfile library is included in the rpm that gets installed. See http://www.rsyslog.com/doc/imfile.html and http://www.rsyslog.com/using-the-text-file-input-module/ for configuration details.
Unfortunately, the rsyslog rpm that ships with 7.2 does not appear to have imfile support -- in the srpm, the plugins directory is empty.
This is cool. I like it. I just added this to retrieve the MWG Update Log into syslog:
Works like a charme:
[root@MWG-Andre ~]# tail -f /var/log/messages
Oct 26 06:49:58 MWG-Andre mwg-update: [2012-10-26 06:49:49.202 +00:00] Successfully downloaded and checked file: d3c063f219ed073e34ad5d750b327629ffd59af2
Even if I like it please note:
- All changes to rsyslogd.conf should be done through the File Editor in the MWG UI, otherwise you could loose your changes on an update
- I cannot state on how officially this is supported. Since it is an rsyslogd feature and we use rsyslogd I do not see a problem, but I cannot guarantee that there are no side effects
Thanks for this information :-)
Hi btlyric and Andre
Thanks a lot for this helpful information
I will let our customer know about it and I guess he will like it.
I understand that this would not be a supported configuration but is this something we could get working on a 7.2.x installation? What would I need to add to test this?
I found this thread and have successfully implemented the above approach. I put the configuration into /etc/rsyslog.d/audit.conf and that should be safe from updates, correct? No need to edit the main configuration file.