Snoopy rsyslog output file rule

loggingrsyslog

I'm just setting up snoopy logger on my personal machine to archive commands I've run.

I'm attempting to setup an rsyslog rule to move its messages from /var/log/auth.log to /var/log/snoopy.log

I've tried a few different rsyslog rules to move the output, but after resetting the rsyslog service it's still logging to auth.log

~$ cat /etc/rsyslog.d/snoopy.conf

#if $programname == 'snoopy' then /var/log/snoopy.log
#& ~
:programname, isequal, "snoopy" /var/log/snoopy.log

Could it be that the rule in /etc/rsyslog.d/50-default.conf

auth,authpriv.* /var/log/auth.log

Is overriding any rule I specify?

Best Answer

I renamed the file such that it was loaded earlier than the auth rule, and added & ~ to stop messages that match this rule being used in other rules.

~$ cat /etc/rsyslog.d/10-snoopy.conf

:programname, isequal, "snoopy" /var/log/snoopy.log
& ~

Related Solutions

Rsyslog nested rules for snoopy

Not 100% happy, but this will only log messages captured on a tty to the snoopy log directory

$template DYNsnoopy,"/var/log/snoopy/uid.%msg:R,ERE,1,BLANK:uid:([0-9]*)--end%.log"
if $programname == 'snoopy' and not ($msg contains 'tty: cwd') then -?DYNsnoopy                                                                                                                    
& ~

Python – rsyslog update on Amazon Linux suddenly treats INFO level messages as EMERG

Most likely you are running into a bug/limitation of SysLogHandler that leads to a BOM inserted in the wrong place. This confuses the rsyslog parser, and leads to the message being attributed the EMERG priority.

This has been "fixed" in Python 2.7 by removing the BOM insertion altogether.

You have two options:

Upgrade to Python 2.7
Encode the message into a str during formatting to workaround the BOM insertion code. One way of doing that is to implement a small custom formatter like this:
```
class BOMLessFormatter(logging.Formatter):
    def format(self, record):
      return logging.Formatter.format(self, record).encode('utf-8')
```

Best Answer

Related Solutions

Rsyslog nested rules for snoopy

Python – rsyslog update on Amazon Linux suddenly treats INFO level messages as EMERG

Related Topic