Hi Mark,
I think you can modify syslog-ng to insert an arbitrary string in log messages:
https://lists.balabit.hu/pipermail/syslog-ng/2006-January/008385.html
I don't know if it's pretty, but I've used this kind of thing:
destination d_insert_txt {
tcp("10.0.0.8" port(5140)
template("$DATE $SOURCEIP $MESSAGE - service xyz for user root\n")
template-escape(no)
);
};
filter f_ssh_root_login {
program("sshd") and
match("Accepted keyboard-interactive/pam for root");
};
log {
source(local);
filter(f_ssh_root_login);
destination(d_insert_txt);
};
This sends it over a TCP stream, but you can modify it to use a file
pretty easily.
I wasn't sure if the b syslog utility would allow the use of the template statement, but there is what looks like a very comprehensive example (to send email) which uses templates in the Codeshare from lrhazi:
Syslog-ng Email Configuration (9.4.2+):
http://devcentral.f5.com/wiki/default.aspx/AdvDesignConfig/SyslogNGEmailConfiguration.html
This should be easier on 9.3.1 if you don't have to go through the b syslog utility to modify the syslog-ng configuration file.
Here are some references on using templates in syslog-ng:
Macros: variables for date, hostname, etc (
Click here)
Templates: (
Click here)
And here is a good FAQ for syslog-ng (campin.net -
Click here)
Aaron