1
I want to be able to filter for specific entries in the Syslog on my Linux computer. For instance, I'd like to be able to filter for user authentication failure or success, or for access to sensitive information, etc.
I believe I have to start by getting a list of all of the possible Syslog messages, like this, but for Syslog messages.
M.Brbr
Posted 2018-09-03T13:42:03.997
Reputation: 129
2
Such a list is impossible, as unlike Windows events (which have a static list of IDs, a specific template for each ID, and only fill in parameters) syslog messages are simply free-form text.
To enumerate possible messages even for a single program would require searching its source code for syslog() calls, which might be made indirectly through custom functions, through various libraries (e.g. log4net) or not use syslog at all (e.g. various programs use systemd-journal functions). So that requires specific knowledge about each program's source code, and cannot be easily automated at the scale of an entire Linux distribution – which it would have to be, as new versions may have different messages.
(The systemd journal does have optional message IDs and 'catalog' files containing descriptions and translations. It's still opt-in and the usage is rare.)
Really even the Windows event message lists only cover the standard OS components and perhaps things like MS Office. They cannot possibly cover all messages that third-party software might log, which might install its own catalogs and event IDs, or even submit freeform messages.
user1686
Posted 2018-09-03T13:42:03.997
Reputation: 283 655
However, can I get such a list for "basic" events such as authentication or a log into a new session ? – M.Brbr – 2018-09-06T08:48:37.770
@M.Brbr: You might want to look into Logwatch, which is a popular syslog analyzer and comes with predefined patterns for such events. – user1686 – 2018-09-06T11:34:13.283
The Windows event viewer allows applications to add to the dictionary and templates so that applications CAN write their logs into the same list and they can be filtered and queried like standard events. There are error messages you'll see from time to time in the Event Viewer when an application reported an error but the OS doesn't have any context or reference on the error, basically, the application install didn't give the OS the information necessary to interpret the application errors, but the application still tries reporting errors to the OS. – music2myear – 2018-09-06T15:15:04.180
Why? This appears to be a X->Y problem, where you've not actually told us what you're trying to do. As such, you'll never get an appropriate answer.
– djsmiley2k TMW – 2018-09-03T14:03:58.147I want to filter my syslog messages to get only those I am interested in. I would like for example to get the syslog messages saying that a user authentication has failed or succeed. – M.Brbr – 2018-09-03T14:30:42.493
1Grep is your friend in this case. You could filter for only Auth level messages, however the syslog levels rely on applications logging to the right levels, or you having filters to make sure everything is in the right levels. I'd personally just call the syslog and then grep for what I need:
grep /var/log/messages 'logged'– djsmiley2k TMW – 2018-09-03T14:53:40.293Keep in mind that some of the events you're requesting are a bit fuzzy. Authentication failures are logged by PAM – except when they don't use PAM (password logins do, but SSH publickey logins don't). Administrator actions are so many and varied that it's practically impossible to have a single "event" for all of them. – user1686 – 2018-09-06T11:40:36.787