Sponsored Content
Operating Systems Linux SuSE How do I make activities appear in SYSLOG file? Post 302946447 by JDBA on Tuesday 9th of June 2015 12:17:08 PM
Old 06-09-2015
Capture user and sytem activities for audit

agent.kgb
I'll go over the articles you recommend. Thank you,

rbatte1
I don't see /etc/syslog.conf or /etc/rsyslog.conf in my server.
Instead I have /etc/syslog-ng. This file has multiple lines of filter and destination. Is this the same file as /etc/syslog.conf or /etc/rsyslog.conf and I have to cofigure?
You said, "Be aware that the files usually need to exist when the syslog daemon (re-)reads the config file."
Do you mean the files under /var/log such as messages and mail.info files?

IRS wants my company to capture below items and send them to a SYSLOG server which is LogRhythm server for auditing purposes. I'd like to capture any activity listed and send them to SYSLOG server(LogRhythm).
I created some test files and directories and users and dropped them. I expected to see these activies in /var/log/messages and /etc/audit/audit.log files but didn't see them. How to collect these information and send them to SYSLOG server? What do I change or add in /etc/sysconfig-ng file?
Thank you,

***List of Log information IRS requires to collect in SYSLOG***
  • Successful login and logoff attempts
  • Unsuccessful login and authorization attempts
  • All identification and authentication attempts
  • All actions, connections and requests performed by privileged users
  • All changes to logical access control authorities (e.g., rights, permissions
  • System changes with the potential to compromise the integrity of audit -policy configurations, security policy configurations and audit record generation services.
  • Creation, modification and deletion of objects including files, directories and user accounts
  • Creation, modification and deletion of user accounts and group accounts
  • Creation, modification and deletion of user account and group account privileges
  • The date of the system event; ii)the time of the system event; iii) the type of system event initiated; and
  • the user account, system account, service or process responsible for initiating the system event.
  • System start-up and shutdown functions.
  • Modifications to administrator account(s) and administrator group account(s)including: i) escalation of user account privileges
  • commensurate with administrator-equivalent account(s); and ii) adding or deleting users from the administrator group account(s).
  • enabling or disabling of audit report generation services
  • command line changes, batch file changes and queries made to the system (e.g., operating system, application, and database

*****Some content of /var/syslog-ng file/*************************
Code:
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };
 filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };
 filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };
 filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };
 filter f_cron       { facility(cron); };
 filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };
 #
# acpid messages
#
filter f_acpid_full { match('^acpid:'); };
filter f_acpid      { level(emerg..notice) and match('^acpid:'); };
 # this is for the old acpid < 1.0.6
filter f_acpid_old  { match('^\[acpid\]:'); };
 filter f_netmgm     { match('^NetworkManager:'); };
 filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };
 destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };
 
.
.
.
.
#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };
 
#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

Moderator's Comments:
Mod Comment
Please wrap all code, files, input & output/errors in CODE tags.
It makes them easier to read and preserves multiple spaces for indenting or fixed width data.

Last edited by rbatte1; 06-09-2015 at 01:34 PM.. Reason: Added CODE tags for config file. Converted text list to formatted list with LIST tags.
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Keeping an eye on all user activities

I am responsible for administering 6 Tru64UX servers. I need to keep an eye on all the commands executed by all the users. Is there a way where I can save the commands executed in a seperate folder and then keep checking the list every now and then. How can do it ? (5 Replies)
Discussion started by: shauche
5 Replies

2. UNIX for Advanced & Expert Users

Tracking activities of Users using a particular login.

Hi!! Experts, I have a typical scenario here in which several users have access to a particular login .. say "build". None of the users know the passwd for this login. The name of some of the user have been to .rhosts file. The users can connect only by doing a rlogin to this id and then... (4 Replies)
Discussion started by: jyotipg
4 Replies

3. Shell Programming and Scripting

patterns from logs and activities

hi, i need help writing shell scripts to define patterns of user activities on our apache. i thought about going through logfiles and other places where user activities are stored and use that data to define patterns of action. i want these patterns to be visualized then. now my... (3 Replies)
Discussion started by: rocketkids
3 Replies

4. Shell Programming and Scripting

Need for loop to do 2 activities

I need my for loop to do 2 things at a time. I have a script where I move the old files into archive directory and then i want to compress them. Presently I am using 2 for loops for it. How can i do it in 1 for loop. Code: after this i am compresing them in another for loop: (3 Replies)
Discussion started by: dsravan
3 Replies

5. Solaris

restricting users privileges and logging their activities

Hello, I'm administrating new installed cluster that runs Legato Networker and Oracle 9. And I want to restrict the use of root to my self and givr the application and DBA the proper and needed privileges to do their duties without hassle in addition I would like to log users activities. my... (0 Replies)
Discussion started by: sh_ksa
0 Replies

6. Shell Programming and Scripting

Script to log into unix box and do a set of activities

Hi all, I want to automate a set of activities i am doing daily.the activities in the order are: 1.loging in to the unix box. 2.sudo su - tsiap, give pwd 3. cd appsrv 4. cd log 5. run the below cmd one by one, if you find any query which has run for more than 5 secs, open the... (1 Reply)
Discussion started by: cybersandex
1 Replies

7. Programming

makeutility: how to get the make-file name inside of the make-file?

How I can get the current make-file name in a make-file So, if I run make with specified file:make -f target.mak is it possible to have the 'target' inside of the that 'target.mak' from the file name? (2 Replies)
Discussion started by: alex_5161
2 Replies

8. Shell Programming and Scripting

shell script for monitoring users activities

hi I need a shell script which runs perpetually in background and monitors different aspects of different users on different files and their usages for example say there r 3 users so i want when they log in i.e. their log in time and their file access, modify and change log of each file of a... (3 Replies)
Discussion started by: rrd1986
3 Replies

9. Solaris

SYSLOGS - Where can I find FTP activities

Greetings to all. I need help from the experts. I have been given a FTP server script that runs all day, looking for files that are FTP'd to our machines. Its hoaky I know, but there are times that files are sent but somehow get lost. Is there a logfile I can view to see when files are received? ... (1 Reply)
Discussion started by: Harleyrci
1 Replies

10. Programming

DB2 z/os How to Track table delete Activities

Dear Team I am using DB2 v10 z/os database . Need expert guidance to figure out best way to track table activities ( Ex Delete, Insert,Update ) Scenario We have a table which is critical and many developer/testing team access on daily basis . We had instance where some deleted entire table .... (1 Reply)
Discussion started by: Perlbaby
1 Replies
All times are GMT -4. The time now is 07:27 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy