i would do something like:
for each config file entry:/etc/syslog.conf//**
name xxx = y
name xxx = y
or the 'one must exist' loop type. but the key i think is to loop through the objects in the cfo.
Interesting. The /etc/syslog configuration file is in a Name/Value format.
But if you view the contents of the configuration file it also lists them in this format:
Instead of doing logic like:
Can you try:
authpriv.* equals /var/log/secure
Its been a long while since making any progress on this point. I've noticed a trend and was hoping the community could help.
The problem remains with the beginning of the conditional statement:
( "Configuration File Entry:/etc/syslog.conf//authpriv.*-\/var\/log\/secure" exists OR
"Configuration File Entry:/etc/syslog-ng/syslog-ng.conf//authpriv.*-\/var\/log\/secure" exists OR
"Configuration File Entry:/etc/rsyslog.conf//authpriv.*-\/var\/log\/secure" exists
I've found 1 host that passes this condition as /etc/syslog.conf exists on the host. what I've discovered is that the Configuration File Entry for /etc/syslog.conf preexists within the BSA Config Object Dictionary, whereas the other 2 for syslog-ng.conf and rsyslog.conf do not.
The grammar file used for syslog in the object dictionary = syslog.gm
The grammar file used for syslog-ng in the object dictionary = generic.gm
The grammar file used for rsyslog in the object dictionary = generic.gm
Can anyone suggest which grammar file I should be referencing for syslog-ng and rsyslog?
have you tried the for loop ?
foreach Configuration File Entry:/etc/syslog.conf//**
name = xxx
name = xxx
I've tried the Foreach and Name loop you suggested but its still broken. I've started from scratch and working with the 1st single line that should work and doesnt, this is:
"Configuration File Entry:/etc/rsyslog.conf//authpriv.*-\/var\/log\/secure" exists.
Where am i going wrong in the Configuration File Entry line above?
There is not a predefined grammar file for rsyslog.conf like there is for syslog.conf, so I'm using generic.rm
Under the Configuration Object section for the server, there is a config file for /etc/rsyslog.conf
As you can see from my original post, the generic.rm grammar file isnt parsing the data correctly. Therefore the Configuration File Entry is not "authpriv.*" as it should be, its actually "authpriv.* -\/var\/log\/secure".
could you use the syslog.gm grammar for rsyslog.conf?
Funny you mention that!
I've modified the rsyslog.conf config definition in the dictionary to use the syslog grammar file and it seems to work better now. the data is being parsed correctly, see below:
looking at the next execute of the rule it still fails:
I cant see whats causing this to fail. Although looking at the config entry it does show up as:
Seems I've managed to get it to work by referencing the name of the Config Object Entry as "authpriv.*-\/var\/log\/secure" as it is referenced within the list of entries for that file. I can then go ahead and use the "foreach" loop referencing the Value1 as String option as "/var/log/secure".
All I have to do now is add back in the other 2 syslog formats and hopefully it will be working again.