On Tue, 2009-08-04 at 12:38 -0700, BB@umd wrote:
>
> Then, on my honeypot, I have a strace command attached to my ssh server. It
> gathers strace outputs in a strace.log file. Here is this command :
> strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &
>
> Now, I would like to send the strace output (/var/log/strace.log) to my
> server through syslog-ng.
What about something like:
tail -f /var/log/strace.log | logger -p <facility> &
> However, now, on the server side, I do not know how to configure syslog-ng
> in order to retrieve this strace output only.
In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).
You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often. Instead I like to use the
facilities "news", "uucp" or similar that I know will never get run on
my network. Potential conflict solved. ;-)
On Tue, 2009-08-04 at 12:38 -0700, BB@umd wrote:
>
> Then, on my honeypot, I have a strace command attached to my ssh server. It
> gathers strace outputs in a strace.log file. Here is this command :
> strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &
>
> Now, I would like to send the strace output (/var/log/strace.log) to my
> server through syslog-ng.
What about something like:
tail -f /var/log/strace.log | logger -p <facility> &
> However, now, on the server side, I do not know how to configure syslog-ng
> in order to retrieve this strace output only.
In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).
You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often. Instead I like to use the
facilities "news", "uucp" or similar that I know will never get run on
my network. Potential conflict solved. ;-)
HTH,
C
---
www.chrisbrenton.org
[ reply ]