我目前有一个rsyslog规则将所有从窥探日志logging到每个用户的文件
~$ cat /etc/rsyslog.d/10-snoopy.conf $template DYNsnoopy,"/var/log/snoopy/uid.%msg:R,ERE,1,BLANK:uid:([0-9]*)--end%.log" :programname, isequal, "snoopy" ?DYNsnoopy & ~ 示例输出:
~$ tail /var/log/snoopy/uid.1000.log Feb 13 10:17:38 box snoopy[32108]: [uid:1000 sid:2781 tty: cwd:/home/user filename:/usr/bin/cut]: cut -d -f 1-3 /proc/loadavg Feb 13 10:17:57 box snoopy[32158]: [uid:1000 sid:27176 tty:/dev/pts/2 cwd:/home/user filename:/usr/bin/colortail]: colortail /var/log/snoopy/uid.1000.log
我想改变规则,例如,如果命令在terminal上运行,它将进入它自己的文件 – 这样我可以保存我执行的命令的完整历史logging,并旋转由cron运行的命令等。
不过,我不确定嵌套if语句的相关语法,或者甚至可以这样做。
if $programname == 'snoopy' then $template DYNsnoopy,"/var/log/snoopy/uid.%msg:R,ERE,1,BLANK:uid:([0-9]*)--end%.log" # if msg contains tty:/dev/pts/2 write to tty.log, else write to uid.xxx.log if $msg ereregex "tty:([A-z0-9/]*) cwd" then /var/log/snoopy/tty.log *.* ?DYNsnoopy & ~
不是100%满意,但是这只会将在tty上捕获的消息logging到snoopy日志目录中
$template DYNsnoopy,"/var/log/snoopy/uid.%msg:R,ERE,1,BLANK:uid:([0-9]*)--end%.log" if $programname == 'snoopy' and not ($msg contains 'tty: cwd') then -?DYNsnoopy & ~