Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

add filter for snoopy log thru syslog-ng

Help
2011-06-17
2013-05-23
  • mashtin bakir
    mashtin bakir
    2011-06-17

    I've been playing around with snoopy logger as an alternative to linux kernel level auditting. I like it a great deal if for no other reason than the readability compared to audit. I have two problems with it, tho. First and foremost, it doesn't give an exit status code. If a user tried to view a system file, it will log this activity but not whether it was successful. Second, how can I
    better filter the results. I already use the instructions detailing redirecting snoopy in syslog-ng to another file. It shouldn't be
    much harder to add a filter eg all snoopy message except where "uid:1000" is in message. Anyone have an example?

     
  • Regarding your second question, I believe the following lines create appropriate filter for syslog-ng:
    filter f_snoopy {
      program("^snoopy")        and  
      not match(" uid:1000 ")
    };

    About exit status:
    Snoopy logs command before it is executed and does not wait for it's exit (this is a big generalisation here). If you have any idea how to capture every command's exit status, please inform me and we can make something happen :)