我正在尝试将来自不同服务器的日志集中到一台服务器。
auth.* @server_ip:port我可以通过从客户端添加来集中记录信息/etc/rsyslog.conf,但现在我不检索用户创建记录信息。但是,这些日志位于/var/log/auth.log.
例子 :
Jun 1 09:46:20 host sshd[12867]: Accepted password for adminelk from 10.0.0.2 port 63676 ssh2
Jun 1 09:46:20 host sshd[12867]: pam_unix(sshd:session): session opened for user adminelk by (uid=0)
Jun 1 09:46:26 host su[12879]: Successful su for root by adminelk
Jun 1 09:46:26 host su[12879]: + /dev/pts/0 adminelk:root
Jun 1 09:46:26 host su[12879]: pam_unix(su:session): session opened for user root by adminelk(uid=1000)
Jun 1 10:17:01 host CRON[12951]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 1 10:17:01 host CRON[12951]: pam_unix(cron:session): session closed for user root
Jun 1 10:17:01 host groupadd[12955]: group added to /etc/group: name=johnny, GID=1002
Jun 1 10:17:01 host groupadd[12955]: group added to /etc/gshadow: name=johnny
Jun 1 10:17:01 host groupadd[12955]: new group: name=johnny, GID=1002
Jun 1 10:17:01 host useradd[12959]: new user: name=johnny, UID=1004, GID=1002, home=/home/johnny, shell=/bin/bash
Jun 1 10:17:05 host passwd[12966]: pam_unix(passwd:chauthtok): password changed for johnny
Jun 1 10:17:08 host chfn[12967]: changed user 'johnny' information
我可以检索 sshd 日志,但不能检索 useradd 日志...
我怎样才能检索这些日志?