From 9e5933f4a49b4a85e19c964569415af24cdf0e8f Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 1 Mar 2020 10:09:45 +0100
Subject: syslog: T2086: move sudo session open/close log entries to auth.log

---
 debian/vyos-1x.install      | 1 +
 src/etc/rsyslog.d/sudo.conf | 9 +++++++++
 2 files changed, 10 insertions(+)
 create mode 100644 src/etc/rsyslog.d/sudo.conf

diff --git a/debian/vyos-1x.install b/debian/vyos-1x.install
index eb19dafeb..d8388eecc 100644
--- a/debian/vyos-1x.install
+++ b/debian/vyos-1x.install
@@ -1,5 +1,6 @@
 etc/dhcp
 etc/init.d
+etc/rsyslog.d
 etc/systemd
 etc/vyos
 lib/
diff --git a/src/etc/rsyslog.d/sudo.conf b/src/etc/rsyslog.d/sudo.conf
new file mode 100644
index 000000000..589651f87
--- /dev/null
+++ b/src/etc/rsyslog.d/sudo.conf
@@ -0,0 +1,9 @@
+# Isolating sudo messages from syslog
+#
+# https://debian-administration.org/article/676/Isolating_sudo_messages_from_syslog
+
+# match if "program name" is equal to "sudo"
+:programname, isequal, "sudo" -/var/log/auth.log
+
+# if we matched this causes the input to be swallowed, preventing further logging.
+& ~
-- 
cgit v1.2.3