Re: Send strace output through syslog-ng

[Chris Brenton <cbrenton () chrisbrenton org>]

Hey man,

On Tue, 2009-08-04 at 12:38 -0700, BB@umd wrote:
> Then, on my honeypot, I have a strace command attached to my ssh server. It
> gathers strace outputs in a strace.log file. Here is this command :
> strace -f -q -p `cat /var/run/sshd.pid` -o /var/log/strace.log &
>
> Now, I would like to send the strace output (/var/log/strace.log) to my
> server through syslog-ng.

What about something like:
tail -f /var/log/strace.log | logger -p <facility> &

> However, now, on the server side, I do not know how to configure syslog-ng
> in order to retrieve this strace output only.

In the above command you need to specify an unused facility. Then on the
server simply tell syslog-ng which file it should use for storing log
entries with the above specified facility (this can be a new unique
file).

You are suppose to use one of the "local use" facilities for stuff like
this, but I run into conflicts far too often. Instead I like to use the
facilities "news", "uucp" or similar that I know will never get run on
my network. Potential conflict solved. ;-)

HTH,
C
---
www.chrisbrenton.org