Re: syslog logging

From: Charles Heselton (
Date: 08/04/04

  • Next message: Andrew J Caines: "Re: syslog logging"
    Date: Tue, 3 Aug 2004 19:33:48 -0700
    To: Gregory Hicks <>

    On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks
    <> wrote:
    > Greetings:
    > I've tried to figure this out, but haven't had much success. I'm
    > trying to log various events with syslog. These events are;
    > - All sudo activities
    > - Anyone who does "su - "
    > - Any reboot information
    > - Anything that could be related with "root" command
    > Remote logging is easy.
    > mail.debug /var/log/syslog, @loghost
    > Sudo is fairly easy - logging via syslog is compiled in. I have this
    > in syslog.conf:
    > local2.emerg;local2.alert;local2.crit;local2.err;local2.warning;local2.debug;local2.i
    > nfo; @loghost"

    I *believe* this could be handled by:

    local2.* @loghost

    > (The above takes care of everything...)
    > su events not so easy. logging for this is done to /var/adm/sulog...
    > According to /etc/default/su,
    > # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
    > # used to log all su attempts. LOG_NOTICE messages are generated for
    > # su's to root, LOG_INFO messages are generated for su's to other users,
    > # and LOG_CRIT messages are generated for failed su attempt.
    > However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
    > logged to /var/adm/messages... I see this
    > ("'su root' succeeded for ghicks on /dev/pts/22")
    > on the console, but nothing in messages...

    Have you checked /var/log/sulog ?

    > Further... Reboot info... Reboot ("init 6")doesn't seem to log
    > ANYTHING - except for the messages the syslog daemon put out whilst
    > going down ("machine-name syslogd: going down on signal 15") and the
    > various config messages the system generates coming up... The 'last'
    > command lists WHEN the reboot occurred, but where is it logged that it
    > was done?
    > Finally... How about logging "anything that could be caused by root?
    > A keystroke logger only activated when root logs in (or su's)? Is
    > there such a thing?
    > Any thoughts on how to attack this?

    If you want to log EVERYTHING, then I would think that you would have
    to install an actual keylogger, and figure out some way to kick it off
    when the current euid is root (0). That seems a bit like
    "big-brother-is-watching-you" to me. I f you're building a
    honey-pot...OK....I can see that. If this is an internal system with
    multiple users, it seems a bit of overkill. Be that as it may, I
    think you answer is in auditing not just logging. Try googling fo
    "Solaris auditing", or "Solaris audit.conf", and unless you *want* to
    be "big-brother", this should suffice.

    > Assist will be appreciated.
    > Regards,
    > Gregory Hicks
    > ---------------------------------------------------------------------
    > Gregory Hicks | Principal Systems Engineer
    > Cadence Design Systems | Direct: 408.576.3609
    > 555 River Oaks Pkwy M/S 6B1
    > San Jose, CA 95134
    > I am perfectly capable of learning from my mistakes. I will surely
    > learn a great deal today.
    > "A democracy is a sheep and two wolves deciding on what to have for
    > lunch. Freedom is a well armed sheep contesting the results of the
    > decision." - Benjamin Franklin
    > "The best we can hope for concerning the people at large is that they
    > be properly armed." --Alexander Hamilton

    Charlie Heselton
    Network Security Engineer

  • Next message: Andrew J Caines: "Re: syslog logging"

    Relevant Pages

    • Re: Annoying system logging problem...
      ... >> logging seems to get all jammed up. ... When it crams up, I can't log in as root, or anyone else. ... as does anything else that uses the syslog facility. ... Any relevant and/or useful help would be much appreciated. ...
    • syslog logging
      ... - All sudo activities ... Anything that could be related with "root" command ... Sudo is fairly easy - logging via syslog is compiled in. ...
    • Re: Permissions on /var/log/ files
      ... runs as root and can write to the file, ... syslog. ... the logs should ... To unsubscribe or change subscription options: ...
    • Re: Seeing who has su-ed
      ... >who do an su to become root, then rather than exiting, they su again to go ... A typical default would direct logging to syslog, ...
    • Re: Logging and Auditing of a HP-UX box
      ... Would members of this group kindly tell me the auditing and logging ... You can expect the syslog system to be always enabled, ... All syslog messages consist of a level identifier, ... commands to control the audit log system from the command ...