I have just registered to the forum, and I am very glad I have joined.
I have a question about the syslog logging facility.
I am doing a security assessment for some servers that run on AIX. The admins have set up a syslog server and the following parameters are enabled in syslog.conf:
How can I know in detail (everything that is logged, not just a general description) which actions are being logged, by the syslog service on the syslog server?
Thank you!
Last edited by rbatte1; 06-26-2015 at 08:32 AM..
Reason: CODE tags added for file content.
AIX has at least 3 logging facilities and 1 auditing facility.
Logging facilities are:
- syslog
- errlog
- alog
All 3 facilities make a little different things. Through alog you can see e.g. boot-time or console messages. Errlog logs mostly hardware-related messages. Syslog is a standard UNIX logging mechanism.
If you do a security assessment, the usual question is - what must be logged in your branch and in your country? There are a lot of different regulations for different branches (financial, healthcare, stock exchanges, human resources, and so on) and in different countries - rules for an US-based company are not the same as rules for an European- or a Chinese company.
All logging and auditing facilities must be configured according to your local requirements. It is not where a sysadmin has right to say something. It is your local authorities who say the word.
After you have your requirements it is easier to decide what should be written in a configuration file to receive the information you require on the central logging server. If you can't analyze the received information, because you've never seen UNIX logs, you have to hire some experienced guy or can try to post example log entries (if they are not tooo sensitive for your organization) here and forum members will try to explain the logs to you.
It really depends what you are trying to achieve and at what detail. You can get too much and struggle to cope (disk space, too much to filter etc.) so can you define what you need and we can work on the best options from there.
Hey, guys thank you so much for you replies, but the fact is that I have read extensively all the official manuals. Although the types and priorities of messages are defined in high-level areas, such as user-related, or for audit purposes, the problem is that I could not find a comprehensive list of the exact actions that are being logged. e.g. what does the user.notice logs in detail.
The entries you have posted are default entries, that come with the installation of IBM HACMP or now called PowerHA, the high availability software from IBM - check this: IBM Info Center.
There is no exact complete list, that defines which application writes into those facilities as far as I know. Though it is common sense, that a mail server will most likely write to it's own logs or write to the syslog daemon and sowith addressing the config lines for the mail facility. Best may be to filter the log and see what is written there, usually there will some kind of source, like [kernel] in Linux or a daemon that writes there. But if nothing happens and it is not written there, I doubt you will easily find out what could write there. Some software writes there, other has it's own logs etc.
Maybe IBM developers know, which parts of their software will write to which facility. Or maybe some admin here can give a hint which things are written there just by experience, but I doubt it will be an exact full list.
You can see those facilities like mail, user, daemon, ... as kind of buckets or filters which any application can "address" in the way that it flags it's message with the appropriate facility and criticality when it writes to the system's syslog daemon. The severities are just an additional filter to sort, where which type of messages should go.
There is no such comprehensive list. Every application can call the functions openlog() and syslog(), specifying facility and priority for syslog messages they like. You can also do the same thing from the command line:
On one side you have applications (this is rather losely defined, system tools might be among them), which use system calls to issue messages. Messages are grouped by "facilities" (local, user, audit, ....) and "severity" (info, warn, crit, ...). Each message belongs to exactly one facility and one severity.
Syslog is a daemon - syslogd - which collects all these messages. The syslog.conf file describes what syslogd should do with them: write them to a (certain) file, ignore them or send them to a remote destination. Notice, that the severity levels are ordered. Every rule for a certain level also affects all higher severities. Let us analyze your own example:
This means: all messages from the "local0" facility with severity "info" or higher ("info" the second-lowest severity, "debug" the lowest) go to the file /var/hacmp/adm/cluster.log. The messages from the "local0" facility with severity "crit" and higher also go the the system console and you will see them when you open the console from the HMC.
What exactly causes a certain message to be issued is a decision of the respective application: it issues a message and says this should go to facility "this" and with severity "that". Syslog then only collects this message and consults its rulebook syslog.conf about what to do with it.
I hope this helps.
bakunin
Last edited by bakunin; 06-27-2015 at 06:47 PM..
These 2 Users Gave Thanks to bakunin For This Post:
Hi everyone,
I am trying to configure AIX 6.1 using syslogd to send syslog event to syslog server configured on RHEL. However, RHEL never receives the events.
I have tried to redirect the syslog event on AIX to a local file and successful. Only forwarding to remote server fails.
Firewall... (10 Replies)
Dear all experts,
I would like to know where can I find the hostname located as when I receive the syslog, I can only see as below : (showing in localhost instead of the hostname)
Feb 6 15:31:31 localhost syslog:info syslogd: restart
Feb 6 15:31:50 localhost syslog:info syslogd: restart
Feb... (13 Replies)
Hello,
Could you please check the below errors. I found these errors in AIX LPAR syslogs.
auth|security:err|error sshd error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
daemon:err|error syslog: slp: 0660-059 Impossible to get local interface for distant address 10.x.x.x. errno... (2 Replies)
How could we derive teh Next month in MON-RR format from current date ie sysdate in UNI AIX sheel script.I coould get a command but i supports only inLinux susse andnotin AIX.
I need for Unix AIX.Pls Help.
Regards
Shiv (2 Replies)
Due to a project I'm currently tasked with I'm spending my time trying to find a way to forward the syslog to a remote, in this case Red Hat, server and squeezing it into a SQL DB.
Rsyslog is doing this job quite nicely for most of our test-servers, but I couldn't find any reliable information on... (1 Reply)
Hi,
i'm trying to configure /etc/syslog.conf for log user access.
In debian i add:
auth,authpriv.* @serverName
I don't know the correct Aix syntax for syslog :(
My @serverName get the log successfully..
I need to log correct/incorrect login attempts.
Thanks (5 Replies)
We have had an issue where the mail file filled up. Is there a setting in sendmail.cf to automatically remove old emails? Say after 14 days. If not is there any way automatically to delete older mail files?? (1 Reply)
Hi all,
I am trying to get the authentication logs of FTP,Telnet,SSH,inetd from the syslog file. But my output for every type of authentications - success & failure keep differing everytime i view them.
The output does not show the priority code (emerg, or 0, in any case). How do I get the... (0 Replies)
Hello,
I need a few explanation about the log files for system messages:
/var/adm/messages and
/var/log/syslog.
As /var/adm/messages is empty on my machine, i need help.
First, i would like to know what the difference between these 2 files is? Do they contain different kinds of system... (3 Replies)