I want to send user audit data (logins, su and sudo usage) from our Solaris 11.4 systems to Graylog. So I installed and configured rsyslog 8.2002.0. This is working in that way, that all information is logged to log files as configured. But not all information written to logs is send to Graylog.
For example there are a log of auth.info entires in /var/log/auth.log, but they are not send to Graylog. I get messages with authpriv.notice and kern.warnings.
I read docs, tried a lot things yesterday and was not able to solve this. Does somebody have an idea what I am doing wrong? As far I know, the . means that everything should forwarded?
## rsyslog.conf *.* @@my-graylog-system.mycompany.corp:514;RSYSLOG_SyslogProtocol23Format # High priority messages to the console *.err /dev/sysmsg # Next highest priority to the messages file *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages # Preserve traditional Solaris syslog defaults *.alert;kern.err;daemon.err :omusrmsg:operator *.alert :omusrmsg:root # Log anything (except auth, cron, daemon & mail) of level info or higher. *.info;mail.none;auth.none;cron.none /var/log/misc.log # kern.notice goes to a file until rsyslog learns how not to clutter # the console. kern.notice /var/log/kern.log # Log all the auth, daemon & mail messages in one place. auth.* /var/log/auth.log daemon.* /var/log/daemon.log mail.* /var/log/mail.log # Everybody gets emergency messages *.emerg :omusrmsg:*