Home Man
Search
Today's Posts
Register

SUSE Linux is a major operating system. The developer rights are owned by Novell, Inc.

How do I make activities appear in SYSLOG file?

Login to Reply

 
Thread Tools Search this Thread
# 1  
Old 06-04-2015
How do I make activities appear in SYSLOG file?

SUSE Linux 11 and 10 SP3.

I am trying to capture some of my activities in SYSLOG file, /var/log/messages.

To do this I created and dropped some test files and directories and users. But these activities are not captured in /var/log/messages. What should I do to make these activities appear in /var/log/messages file?


I see /var/log/audit/audit.log file in /etc/audit/auditd.conf
Is /var/log/audit/audit.log file another SYSLOG file?

I don't see my activities in both /var/log/messages and /var/log/audit/audit.log files.

Thank you,

Last edited by rbatte1; 06-05-2015 at 05:52 AM.. Reason: Removed all the font & colour settings, corrected log file to have leading / and set formatting where appropriate
# 2  
Old 06-04-2015
Check you logger
Quote:
logger - a shell command interface to the syslog(3) system log module
Regards
Peasant.

Last edited by rbatte1; 06-05-2015 at 05:48 AM.. Reason: Changed ICODE tags to QUOTE tags
# 3  
Old 06-05-2015
The syslog is usually configured by either /etc/syslog.conf or /etc/rsyslog.conf depending on your version (which I don't have, so cannot check)

Be aware that the files usually need to exist when the syslog daemon (re-)reads the config file.

What do you have configured? Are you wanting to actively log messages (use logger and the syslog daemon) or are you wanting to track activities automatically (user audit daemon) I've had real trouble with auditing flooding the server, so I've never persisted.



Robin
# 4  
Old 06-05-2015
audit is what you need if you like to capture users commands on your system. Audit is another subsystem and doesn't work through syslog.
For SLES take a look at this documentation:
https://www.suse.com/documentation/s...uickstart.html
https://www.suse.com/documentation/s.../audit_sp2.pdf
The Following User Says Thank You to agent.kgb For This Useful Post:
rbatte1 (06-05-2015)
# 5  
Old 06-09-2015
Capture user and sytem activities for audit

agent.kgb
I'll go over the articles you recommend. Thank you,

rbatte1
I don't see /etc/syslog.conf or /etc/rsyslog.conf in my server.
Instead I have /etc/syslog-ng. This file has multiple lines of filter and destination. Is this the same file as /etc/syslog.conf or /etc/rsyslog.conf and I have to cofigure?
You said, "Be aware that the files usually need to exist when the syslog daemon (re-)reads the config file."
Do you mean the files under /var/log such as messages and mail.info files?

IRS wants my company to capture below items and send them to a SYSLOG server which is LogRhythm server for auditing purposes. I'd like to capture any activity listed and send them to SYSLOG server(LogRhythm).
I created some test files and directories and users and dropped them. I expected to see these activies in /var/log/messages and /etc/audit/audit.log files but didn't see them. How to collect these information and send them to SYSLOG server? What do I change or add in /etc/sysconfig-ng file?
Thank you,

***List of Log information IRS requires to collect in SYSLOG***
  • Successful login and logoff attempts
  • Unsuccessful login and authorization attempts
  • All identification and authentication attempts
  • All actions, connections and requests performed by privileged users
  • All changes to logical access control authorities (e.g., rights, permissions
  • System changes with the potential to compromise the integrity of audit -policy configurations, security policy configurations and audit record generation services.
  • Creation, modification and deletion of objects including files, directories and user accounts
  • Creation, modification and deletion of user accounts and group accounts
  • Creation, modification and deletion of user account and group account privileges
  • The date of the system event; ii)the time of the system event; iii) the type of system event initiated; and
  • the user account, system account, service or process responsible for initiating the system event.
  • System start-up and shutdown functions.
  • Modifications to administrator account(s) and administrator group account(s)including: i) escalation of user account privileges
  • commensurate with administrator-equivalent account(s); and ii) adding or deleting users from the administrator group account(s).
  • enabling or disabling of audit report generation services
  • command line changes, batch file changes and queries made to the system (e.g., operating system, application, and database

*****Some content of /var/syslog-ng file/*************************
Code:
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };
 filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };
 filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };
 filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };
 filter f_cron       { facility(cron); };
 filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };
 #
# acpid messages
#
filter f_acpid_full { match('^acpid:'); };
filter f_acpid      { level(emerg..notice) and match('^acpid:'); };
 # this is for the old acpid < 1.0.6
filter f_acpid_old  { match('^\[acpid\]:'); };
 filter f_netmgm     { match('^NetworkManager:'); };
 filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };
 destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };
 
.
.
.
.
#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };
 
#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

Moderator's Comments:
How do I make activities appear in SYSLOG file?
Please wrap all code, files, input & output/errors in CODE tags.
It makes them easier to read and preserves multiple spaces for indenting or fixed width data.

Last edited by rbatte1; 06-09-2015 at 12:34 PM.. Reason: Added CODE tags for config file. Converted text list to formatted list with LIST tags.
# 6  
Old 06-09-2015
Quote:
Originally Posted by JDBA
agent.kgb
rbatte1
I don't see /etc/syslog.conf or /etc/rsyslog.conf in my server.
Instead I have /etc/syslog-ng. This file has multiple lines of filter and destination. Is this the same file as /etc/syslog.conf or /etc/rsyslog.conf and I have to cofigure?
You said, "Be aware that the files usually need to exist when the syslog daemon (re-)reads the config file."
Do you mean the files under /var/log such as messages and mail.info files?
Yes, the output files (usually in /var/log) need to exist. I've not come accross /etc/syslog-ng before. Can you clarify which version you are running by pasting the output from uname -a? Remove the server name if you wish.
# 7  
Old 06-09-2015
Code:
uname -a
Linux XXXXXX_1-2 2.6.32.54-0.41.TDC.1.R.1-default #1 SMP 2014-06-26 09:56:55 +0200 x86_64 x86_64 x86_64 GNU/Linux

I believe it is Suse 11.
Thank you,

Last edited by rbatte1; 06-10-2015 at 05:13 AM.. Reason: Removed colour and font formatting. Added CODE tags.
Login to Reply

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
SYSLOGS - Where can I find FTP activities Harleyrci Solaris 1 03-08-2011 10:26 AM
shell script for monitoring users activities rrd1986 Shell Programming and Scripting 3 08-27-2010 09:31 AM
May i know the day to day activities of a Solaris system administrator? Sesha Solaris 4 05-11-2010 01:34 AM
makeutility: how to get the make-file name inside of the make-file? alex_5161 Programming 2 09-17-2009 05:57 PM
Script to log into unix box and do a set of activities cybersandex Shell Programming and Scripting 1 10-02-2008 03:42 AM
restricting users privileges and logging their activities sh_ksa Solaris 0 03-16-2007 06:38 AM
Need for loop to do 2 activities dsravan Shell Programming and Scripting 3 08-16-2006 02:59 AM
patterns from logs and activities rocketkids Shell Programming and Scripting 3 02-10-2004 05:45 AM
Tracking activities of Users using a particular login. jyotipg UNIX for Advanced & Expert Users 4 08-04-2003 11:43 AM
Keeping an eye on all user activities shauche UNIX for Advanced & Expert Users 5 05-19-2003 06:07 PM


All times are GMT -4. The time now is 08:47 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password