Re: syslog logging
From: Andrew J Caines (A.J.Caines_at_halplant.com)
Date: Wed, 4 Aug 2004 16:53:25 -0400 To: firstname.lastname@example.org
Charles Heselton noted that...
> I *believe* this could be handled by:
> local2.* @loghost
Wildcards are for the facility. The priority specifies the _lowest_
logged, so local2.warn mean to log all local2 messages at warn and above,
ie. warn, err, crit alert and emerg. See syslog.conf(4) and syslogd(1M).
So what you want to log everything (debug and above) is
On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks <email@example.com> wrote:
> su events not so easy. logging for this is done to /var/adm/sulog...
> According to /etc/default/su,
> However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
> logged to /var/adm/messages...
Clearly you aren't sending auth.info messages to /var/adm/messages. Take a
look at the log file to which you are sending them or add auth.info to the
list which gets logged to /var/adm/messages.
> Finally... How about logging "anything that could be caused by root?
> A keystroke logger only activated when root logs in (or su's)? Is
> there such a thing?
This is outside the clear and simple area of "logging" and into the murky
area of "auditing". You may want to look into BSM, but be aware that
auditing is complex and potentially resource intensive activity and that
you'll need to do some real work to extract and meaningfully report the
useful information from the audit data.
It can be done, but the question is whether or not it's worth it. Only in
extraordinary cases does the answer turn out to be "yes".
-- _______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@halplant.com | | "They that can give up essential liberty to obtain a little temporary | | safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 |