Re: syslog loggingAug 05 2004 05:34AM Rex Monty di Bona (rex comsmiths com au)
Re: syslog loggingAug 04 2004 08:53PM Andrew J Caines (A J Caines halplant com)
Charles Heselton noted that...
> I *believe* this could be handled by:
> local2.* @loghost
Wildcards are for the facility. The priority specifies the _lowest_
logged, so local2.warn mean to log all local2 messages at warn and above,
ie. warn, err, crit alert and emerg. See syslog.conf(4) and syslogd(1M).
So what you want to log everything (debug and above) is
local2.debug @loghost
On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks <ghicks (at) cadence (dot) com [email concealed]> wrote:
> su events not so easy. logging for this is done to /var/adm/sulog...
> According to /etc/default/su,
[snip]
> However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
> logged to /var/adm/messages...
Clearly you aren't sending auth.info messages to /var/adm/messages. Take a
look at the log file to which you are sending them or add auth.info to the
list which gets logged to /var/adm/messages.
> Finally... How about logging "anything that could be caused by root?
> A keystroke logger only activated when root logs in (or su's)? Is
> there such a thing?
This is outside the clear and simple area of "logging" and into the murky
area of "auditing". You may want to look into BSM, but be aware that
auditing is complex and potentially resource intensive activity and that
you'll need to do some real work to extract and meaningfully report the
useful information from the audit data.
It can be done, but the question is whether or not it's worth it. Only in
extraordinary cases does the answer turn out to be "yes".
-Andrew-
--
_______________________________________________________________________
| -Andrew J. Caines- Unix Systems Engineer A.J.Caines (at) halplant (dot) com [email concealed] |
| "They that can give up essential liberty to obtain a little temporary |
| safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 |
> I *believe* this could be handled by:
> local2.* @loghost
Wildcards are for the facility. The priority specifies the _lowest_
logged, so local2.warn mean to log all local2 messages at warn and above,
ie. warn, err, crit alert and emerg. See syslog.conf(4) and syslogd(1M).
So what you want to log everything (debug and above) is
local2.debug @loghost
On Mon, 2 Aug 2004 19:19:18 -0700 (PDT), Gregory Hicks <ghicks (at) cadence (dot) com [email concealed]> wrote:
> su events not so easy. logging for this is done to /var/adm/sulog...
> According to /etc/default/su,
[snip]
> However, I've got SYSLOG=YES in /etc/default/su ... And nothing is
> logged to /var/adm/messages...
Clearly you aren't sending auth.info messages to /var/adm/messages. Take a
look at the log file to which you are sending them or add auth.info to the
list which gets logged to /var/adm/messages.
> Finally... How about logging "anything that could be caused by root?
> A keystroke logger only activated when root logs in (or su's)? Is
> there such a thing?
This is outside the clear and simple area of "logging" and into the murky
area of "auditing". You may want to look into BSM, but be aware that
auditing is complex and potentially resource intensive activity and that
you'll need to do some real work to extract and meaningfully report the
useful information from the audit data.
It can be done, but the question is whether or not it's worth it. Only in
extraordinary cases does the answer turn out to be "yes".
-Andrew-
--
_______________________________________________________________________
| -Andrew J. Caines- Unix Systems Engineer A.J.Caines (at) halplant (dot) com [email concealed] |
| "They that can give up essential liberty to obtain a little temporary |
| safety deserve neither liberty nor safety" - Benjamin Franklin, 1759 |
[ reply ]