Configure Syslog to Cull Events in AD Bridge
To collect sudo events and other system events that appear in syslog, you must configure syslog to write data to a location where the AD Bridge Enterprise reapsysl service can find it and copy it to the local event log.
You can set an AD Bridge Enterprise Group Policy setting to modify /etc/syslog.conf on target computers.
The reapsysl service creates three named pipes and picks up the syslog information written to them:
/var/lib/pbis/syslog-reaper/error /var/lib/pbis/syslog-reaper/warning /var/lib/pbis/syslog-reaper/information
To configure syslog to write to the pipes, add the following lines to /etc/syslog.conf:
*.err /var/lib/pbis/syslog-reaper/error *.warning /var/lib/pbis/syslog-reaper/warning *.debug /var/lib/pbis/syslog-reaper/information
The last entry is not analogous to the first two. Some versions of syslog require a tab character instead of spaces to separate the two components of each line.
For more information, please see your syslog documentation.
After you modify syslog.conf, you must restart the syslog service for the changes to take effect: