Re: syslog logging

From: Andrew J Caines (A.J.Caines_at_halplant.com)
Date: 08/04/04

  • Next message: Rex Monty di Bona: "Re: syslog logging" 
    Date: Wed, 4 Aug 2004 16:53:25 -0400
To: focus-sun@securityfocus.com

    Charles Heselton noted that...
    > I *believe* this could be handled by:
    > local2.* @loghost

    Wildcards are for the facility. The priority specifies the _lowest_
    logged, so local2.warn mean to log all local2 messages at warn and above,
    ie. warn, err, crit alert and emerg. See syslog.conf(4) and syslogd(1M).

    So what you want to log everything (debug and above) is

    local2.debug @loghost

    On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks <ghicks@cadence.com> wrote:
    > su events not so easy. logging for this is done to /var/adm/sulog...
    > According to /etc/default/su,
    [snip]
    > However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
    > logged to /var/adm/messages...

    Clearly you aren't sending auth.info messages to /var/adm/messages. Take a
    look at the log file to which you are sending them or add auth.info to the
    list which gets logged to /var/adm/messages.

    > Finally... How about logging "anything that could be caused by root?
    > A keystroke logger only activated when root logs in (or su's)? Is
    > there such a thing?

    This is outside the clear and simple area of "logging" and into the murky
    area of "auditing". You may want to look into BSM, but be aware that
    auditing is complex and potentially resource intensive activity and that
    you'll need to do some real work to extract and meaningfully report the
    useful information from the audit data.

    It can be done, but the question is whether or not it's worth it. Only in
    extraordinary cases does the answer turn out to be "yes".

    -Andrew- 

    -- 
 _______________________________________________________________________
| -Andrew J. Caines-   Unix Systems Engineer   A.J.Caines@halplant.com  |
| "They that can give up essential liberty to obtain a little temporary |
|  safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 |
  • Next message: Rex Monty di Bona: "Re: syslog logging"