Hi gurus and gurettes (?)
Alright, really quickly, VCS-1 is executing some monitoring scripts every minute on local zones and I want to know if there is a way for me to remove the following :
Month X XX:XX:XX RaNdOmSeRvErNaMe su: [ID 366847 auth.notice] 'su root' succeeded for root on /dev/???
A quick and dirty answer would be "not to monitor all your ressources every minute" or "use the built-in tool from VCS-1". My answer is: I can't. Why? This is not the reson why I opened this thread.
So, in syslog.conf, do I have a way of removing the su logs for user root? Not from /vard/adm/sulogs tho ...
Thank you!
Having no luck so far.
I could redirect the whole sudo logs (via Defaults settings in sudoers itself) but that would make it harder if we ever need to troubleshoot user inputable mistakes.
Let's modify the question:
Can we put filters on errors by devices?
Like "please ignore /dev/??? for sudo logs"?
The man page for syslog.conf doesn't have a way to avoid versions of a facility message.
Other than rewriting a system component - I do not know how to change the behavior.
You are viewing the output of auth facility. Other than changing su to use separate facilities (you can have local or user defined syslog.conf facilities) and recode su using the new facility I cannot think of an answer.
You can redirect output to a door or a temp regular file, write a daemon that parses things out, then write those parsed goodies to a logfile of your choice.
Hey Jim,
That's a solution I wanted to avoid ...
I'll put that in the to-do when-the-to-do-list-is-done list and just leave with logs for a while then.
Ty for your answer, it's appreciated.