Re: syslog logging

From: Rex Monty di Bona (rex_at_comsmiths.com.au)
Date: 08/05/04

  • Next message: Grzegorz Banasiak: "ipv6 questions + solaris 9" 
    Date: Thu, 05 Aug 2004 15:34:10 +1000
To: Charles Heselton <charles.heselton@gmail.com>

    try "local2.debug<tab>@loghost", and remember spaces are significant. If
    you have problems try syslogd -d from the command line, and it'll show
    you what it is doing. Easier to see what it's doing rather than guessing :-)

    Of course if your local machine is loghost this line would be ignored
    (it would be a loop). Also, the machine loghost has to handle local2
    events. Somewhere you have to have
    "local2.debug<tab>/some/file/or/another" (or a person etc etc.)

                                            Rex.

    Charles Heselton wrote:
    > On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks
    > <ghicks@cadence.com> wrote:
    >
    >>Greetings:
    >>
    >>I've tried to figure this out, but haven't had much success. I'm
    >>trying to log various events with syslog. These events are;
    >>
    >>- All sudo activities
    >>- Anyone who does "su - "
    >>- Any reboot information
    >>- Anything that could be related with "root" command
    >>
    >>Remote logging is easy.
    >>mail.debug /var/log/syslog, @loghost
    >>
    >>Sudo is fairly easy - logging via syslog is compiled in. I have this
    >>in syslog.conf:
    >>
    >>local2.emerg;local2.alert;local2.crit;local2.err;local2.warning;local2.debug;local2.i
    >>nfo;local2.info @loghost"
    >
    >
    > I *believe* this could be handled by:
    >
    > local2.* @loghost
    >
    >
    >>(The above takes care of everything...)
    >>
    >>su events not so easy. logging for this is done to /var/adm/sulog...
    >>According to /etc/default/su,
    >>
    >># SYSLOG determines whether the syslog(3) LOG_AUTH facility should be
    >># used to log all su attempts. LOG_NOTICE messages are generated for
    >># su's to root, LOG_INFO messages are generated for su's to other users,
    >># and LOG_CRIT messages are generated for failed su attempt.
    >>
    >>However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
    >>logged to /var/adm/messages... I see this
    >>
    >>("'su root' succeeded for ghicks on /dev/pts/22")
    >>
    >>on the console, but nothing in messages...
    >
    >
    > Have you checked /var/log/sulog ?
    >
    >
    >>Further... Reboot info... Reboot ("init 6")doesn't seem to log
    >>ANYTHING - except for the messages the syslog daemon put out whilst
    >>going down ("machine-name syslogd: going down on signal 15") and the
    >>various config messages the system generates coming up... The 'last'
    >>command lists WHEN the reboot occurred, but where is it logged that it
    >>was done?
    >>
    >>Finally... How about logging "anything that could be caused by root?
    >>A keystroke logger only activated when root logs in (or su's)? Is
    >>there such a thing?
    >>
    >>Any thoughts on how to attack this?
    >
    >
    > If you want to log EVERYTHING, then I would think that you would have
    > to install an actual keylogger, and figure out some way to kick it off
    > when the current euid is root (0). That seems a bit like
    > "big-brother-is-watching-you" to me. I f you're building a
    > honey-pot...OK....I can see that. If this is an internal system with
    > multiple users, it seems a bit of overkill. Be that as it may, I
    > think you answer is in auditing not just logging. Try googling fo
    > "Solaris auditing", or "Solaris audit.conf", and unless you *want* to
    > be "big-brother", this should suffice.
    >
    >
    >>Assist will be appreciated.
    >>
    >>Regards,
    >>Gregory Hicks
    >>
    >>---------------------------------------------------------------------
    >>Gregory Hicks | Principal Systems Engineer
    >>Cadence Design Systems | Direct: 408.576.3609
    >>555 River Oaks Pkwy M/S 6B1
    >>San Jose, CA 95134
    >>
    >>I am perfectly capable of learning from my mistakes. I will surely
    >>learn a great deal today.
    >>
    >>"A democracy is a sheep and two wolves deciding on what to have for
    >>lunch. Freedom is a well armed sheep contesting the results of the
    >>decision." - Benjamin Franklin
    >>
    >>"The best we can hope for concerning the people at large is that they
    >>be properly armed." --Alexander Hamilton
    >>
    >>
    >
    >
    >

  • Next message: Grzegorz Banasiak: "ipv6 questions + solaris 9"