Re: syslog logging

From: Charles Heselton (
Date: 08/04/04

  • Next message: Andrew J Caines: "Re: syslog logging"
    Date: Tue, 3 Aug 2004 19:33:48 -0700
    To: Gregory Hicks <>

    On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks
    <> wrote:
    > Greetings:
    > I've tried to figure this out, but haven't had much success. I'm
    > trying to log various events with syslog. These events are;
    > - All sudo activities
    > - Anyone who does "su - "
    > - Any reboot information
    > - Anything that could be related with "root" command
    > Remote logging is easy.
    > mail.debug /var/log/syslog, @loghost
    > Sudo is fairly easy - logging via syslog is compiled in. I have this
    > in syslog.conf:
    > local2.emerg;local2.alert;local2.crit;local2.err;local2.warning;local2.debug;local2.i
    > nfo; @loghost"

    I *believe* this could be handled by:

    local2.* @loghost

    > (The above takes care of everything...)
    > su events not so easy. logging for this is done to /var/adm/sulog...
    > According to /etc/default/su,
    > # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
    > # used to log all su attempts. LOG_NOTICE messages are generated for
    > # su's to root, LOG_INFO messages are generated for su's to other users,
    > # and LOG_CRIT messages are generated for failed su attempt.
    > However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
    > logged to /var/adm/messages... I see this
    > ("'su root' succeeded for ghicks on /dev/pts/22")
    > on the console, but nothing in messages...

    Have you checked /var/log/sulog ?

    > Further... Reboot info... Reboot ("init 6")doesn't seem to log
    > ANYTHING - except for the messages the syslog daemon put out whilst
    > going down ("machine-name syslogd: going down on signal 15") and the
    > various config messages the system generates coming up... The 'last'
    > command lists WHEN the reboot occurred, but where is it logged that it
    > was done?
    > Finally... How about logging "anything that could be caused by root?
    > A keystroke logger only activated when root logs in (or su's)? Is
    > there such a thing?
    > Any thoughts on how to attack this?

    If you want to log EVERYTHING, then I would think that you would have
    to install an actual keylogger, and figure out some way to kick it off
    when the current euid is root (0). That seems a bit like
    "big-brother-is-watching-you" to me. I f you're building a
    honey-pot...OK....I can see that. If this is an internal system with
    multiple users, it seems a bit of overkill. Be that as it may, I
    think you answer is in auditing not just logging. Try googling fo
    "Solaris auditing", or "Solaris audit.conf", and unless you *want* to
    be "big-brother", this should suffice.

    > Assist will be appreciated.
    > Regards,
    > Gregory Hicks
    > ---------------------------------------------------------------------
    > Gregory Hicks | Principal Systems Engineer
    > Cadence Design Systems | Direct: 408.576.3609
    > 555 River Oaks Pkwy M/S 6B1
    > San Jose, CA 95134
    > I am perfectly capable of learning from my mistakes. I will surely
    > learn a great deal today.
    > "A democracy is a sheep and two wolves deciding on what to have for
    > lunch. Freedom is a well armed sheep contesting the results of the
    > decision." - Benjamin Franklin
    > "The best we can hope for concerning the people at large is that they
    > be properly armed." --Alexander Hamilton

    Charlie Heselton
    Network Security Engineer

  • Next message: Andrew J Caines: "Re: syslog logging"

    Relevant Pages

    • Re: Annoying system logging problem...
      ... >> logging seems to get all jammed up. ... When it crams up, I can't log in as root, or anyone else. ... as does anything else that uses the syslog facility. ... Any relevant and/or useful help would be much appreciated. ...
    • syslog logging
      ... - All sudo activities ... Anything that could be related with "root" command ... Sudo is fairly easy - logging via syslog is compiled in. ...
    • Re: The case of the read-only USB sticks.
      ... partitioning, file systems, etc. ... I will investigate and provide syslog data for the old read- ... If I have to be root, perhaps it's some mount permission problem I'm ... be hard to figure out the proper unmounting protocol. ...
    • Re: Permissions on /var/log/ files
      ... runs as root and can write to the file, ... syslog. ... the logs should ... To unsubscribe or change subscription options: ...
    • Re: Seeing who has su-ed
      ... >who do an su to become root, then rather than exiting, they su again to go ... A typical default would direct logging to syslog, ...