I currently have a rsyslog rule to split up all logging from snoopy into a file for each user
~$ cat /etc/rsyslog.d/10-snoopy.conf
$template DYNsnoopy,"/var/log/snoopy/uid.%msg:R,ERE,1,BLANK:uid:([0-9]*)--end%.log"
:programname, isequal, "snoopy" ?DYNsnoopy
& ~
example output:
~$ tail /var/log/snoopy/uid.1000.log
Feb 13 10:17:38 box snoopy[32108]: [uid:1000 sid:2781 tty: cwd:/home/user filename:/usr/bin/cut]: cut -d -f 1-3 /proc/loadavg
Feb 13 10:17:57 box snoopy[32158]: [uid:1000 sid:27176 tty:/dev/pts/2 cwd:/home/user filename:/usr/bin/colortail]: colortail /var/log/snoopy/uid.1000.log
I want to alter the rule, such that if the command was run on a terminal it goes into its own file – This way I can keep a complete history of commands that I've executed, and rotate commands run by cron etc ..
However I'm unsure about the syntax related to nested if statements, or if this can even be done.
if $programname == 'snoopy' then
$template DYNsnoopy,"/var/log/snoopy/uid.%msg:R,ERE,1,BLANK:uid:([0-9]*)--end%.log"
# if msg contains tty:/dev/pts/2 write to tty.log, else write to uid.xxx.log
if $msg ereregex "tty:([A-z0-9/]*) cwd" then /var/log/snoopy/tty.log
*.* ?DYNsnoopy
& ~
Best Answer
Not 100% happy, but this will only log messages captured on a tty to the snoopy log directory