Unix/Linux Go Back    


SuSE SUSE Linux is a major operating system. The developer rights are owned by Novell, Inc.

How do I make activities appear in SYSLOG file?

SuSE


Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 06-04-2015   -   Original Discussion by JDBA
JDBA's Unix or Linux Image
JDBA JDBA is offline
Registered User
 
Join Date: Apr 2014
Last Activity: 10 June 2015, 8:44 AM EDT
Location: College Park, MD
Posts: 20
Thanks: 2
Thanked 0 Times in 0 Posts
How do I make activities appear in SYSLOG file?

SUSE Linux 11 and 10 SP3.

I am trying to capture some of my activities in SYSLOG file, /var/log/messages.

To do this I created and dropped some test files and directories and users. But these activities are not captured in /var/log/messages. What should I do to make these activities appear in /var/log/messages file?


I see /var/log/audit/audit.log file in /etc/audit/auditd.conf
Is /var/log/audit/audit.log file another SYSLOG file?

I don't see my activities in both /var/log/messages and /var/log/audit/audit.log files.

Thank you,

Last edited by rbatte1; 06-05-2015 at 05:52 AM.. Reason: Removed all the font & colour settings, corrected log file to have leading / and set formatting where appropriate
Sponsored Links
    #2  
Old Unix and Linux 06-04-2015   -   Original Discussion by JDBA
Peasant's Unix or Linux Image
Peasant Peasant is offline Forum Advisor  
Registered User
 
Join Date: Mar 2011
Last Activity: 22 June 2018, 2:30 AM EDT
Posts: 1,189
Thanks: 32
Thanked 363 Times in 313 Posts
Check you logger
Quote:
logger - a shell command interface to the syslog(3) system log module
Regards
Peasant.

Last edited by rbatte1; 06-05-2015 at 05:48 AM.. Reason: Changed ICODE tags to QUOTE tags
Sponsored Links
    #3  
Old Unix and Linux 06-05-2015   -   Original Discussion by JDBA
rbatte1's Unix or Linux Image
rbatte1 rbatte1 is offline Forum Staff  
Root armed
 
Join Date: Jun 2007
Last Activity: 22 June 2018, 8:55 AM EDT
Location: Lancashire, UK
Posts: 3,560
Thanks: 1,571
Thanked 699 Times in 627 Posts
The syslog is usually configured by either /etc/syslog.conf or /etc/rsyslog.conf depending on your version (which I don't have, so cannot check)

Be aware that the files usually need to exist when the syslog daemon (re-)reads the config file.

What do you have configured? Are you wanting to actively log messages (use logger and the syslog daemon) or are you wanting to track activities automatically (user audit daemon) I've had real trouble with auditing flooding the server, so I've never persisted.



Robin
    #4  
Old Unix and Linux 06-05-2015   -   Original Discussion by JDBA
agent.kgb's Unix or Linux Image
agent.kgb agent.kgb is offline
Registered User
 
Join Date: Feb 2015
Last Activity: 8 June 2018, 12:23 PM EDT
Location: basement, Lubyanka, Moscow
Posts: 344
Thanks: 8
Thanked 99 Times in 88 Posts
audit is what you need if you like to capture users commands on your system. Audit is another subsystem and doesn't work through syslog.
For SLES take a look at this documentation:
https://www.suse.com/documentation/s...uickstart.html
https://www.suse.com/documentation/s.../audit_sp2.pdf
The Following User Says Thank You to agent.kgb For This Useful Post:
rbatte1 (06-05-2015)
Sponsored Links
    #5  
Old Unix and Linux 06-09-2015   -   Original Discussion by JDBA
JDBA's Unix or Linux Image
JDBA JDBA is offline
Registered User
 
Join Date: Apr 2014
Last Activity: 10 June 2015, 8:44 AM EDT
Location: College Park, MD
Posts: 20
Thanks: 2
Thanked 0 Times in 0 Posts
Capture user and sytem activities for audit

agent.kgb
I'll go over the articles you recommend. Thank you,

rbatte1
I don't see /etc/syslog.conf or /etc/rsyslog.conf in my server.
Instead I have /etc/syslog-ng. This file has multiple lines of filter and destination. Is this the same file as /etc/syslog.conf or /etc/rsyslog.conf and I have to cofigure?
You said, "Be aware that the files usually need to exist when the syslog daemon (re-)reads the config file."
Do you mean the files under /var/log such as messages and mail.info files?

IRS wants my company to capture below items and send them to a SYSLOG server which is LogRhythm server for auditing purposes. I'd like to capture any activity listed and send them to SYSLOG server(LogRhythm).
I created some test files and directories and users and dropped them. I expected to see these activies in /var/log/messages and /etc/audit/audit.log files but didn't see them. How to collect these information and send them to SYSLOG server? What do I change or add in /etc/sysconfig-ng file?
Thank you,

***List of Log information IRS requires to collect in SYSLOG***
  • Successful login and logoff attempts
  • Unsuccessful login and authorization attempts
  • All identification and authentication attempts
  • All actions, connections and requests performed by privileged users
  • All changes to logical access control authorities (e.g., rights, permissions
  • System changes with the potential to compromise the integrity of audit -policy configurations, security policy configurations and audit record generation services.
  • Creation, modification and deletion of objects including files, directories and user accounts
  • Creation, modification and deletion of user accounts and group accounts
  • Creation, modification and deletion of user account and group account privileges
  • The date of the system event; ii)the time of the system event; iii) the type of system event initiated; and
  • the user account, system account, service or process responsible for initiating the system event.
  • System start-up and shutdown functions.
  • Modifications to administrator account(s) and administrator group account(s)including: i) escalation of user account privileges
  • commensurate with administrator-equivalent account(s); and ii) adding or deleting users from the administrator group account(s).
  • enabling or disabling of audit report generation services
  • command line changes, batch file changes and queries made to the system (e.g., operating system, application, and database

*****Some content of /var/syslog-ng file/*************************


Code:
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };
 filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };
 filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };
 filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };
 filter f_cron       { facility(cron); };
 filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };
 #
# acpid messages
#
filter f_acpid_full { match('^acpid:'); };
filter f_acpid      { level(emerg..notice) and match('^acpid:'); };
 # this is for the old acpid < 1.0.6
filter f_acpid_old  { match('^\[acpid\]:'); };
 filter f_netmgm     { match('^NetworkManager:'); };
 filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };
 destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };
 
.
.
.
.
#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };
 
#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

Moderator's Comments:
How do I make activities appear in SYSLOG file?
Please wrap all code, files, input & output/errors in CODE tags.
It makes them easier to read and preserves multiple spaces for indenting or fixed width data.

Last edited by rbatte1; 06-09-2015 at 12:34 PM.. Reason: Added CODE tags for config file. Converted text list to formatted list with LIST tags.
Sponsored Links
    #6  
Old Unix and Linux 06-09-2015   -   Original Discussion by JDBA
rbatte1's Unix or Linux Image
rbatte1 rbatte1 is offline Forum Staff  
Root armed
 
Join Date: Jun 2007
Last Activity: 22 June 2018, 8:55 AM EDT
Location: Lancashire, UK
Posts: 3,560
Thanks: 1,571
Thanked 699 Times in 627 Posts
Quote:
Originally Posted by JDBA View Post
agent.kgb
rbatte1
I don't see /etc/syslog.conf or /etc/rsyslog.conf in my server.
Instead I have /etc/syslog-ng. This file has multiple lines of filter and destination. Is this the same file as /etc/syslog.conf or /etc/rsyslog.conf and I have to cofigure?
You said, "Be aware that the files usually need to exist when the syslog daemon (re-)reads the config file."
Do you mean the files under /var/log such as messages and mail.info files?
Yes, the output files (usually in /var/log) need to exist. I've not come accross /etc/syslog-ng before. Can you clarify which version you are running by pasting the output from uname -a? Remove the server name if you wish.
Sponsored Links
    #7  
Old Unix and Linux 06-09-2015   -   Original Discussion by JDBA
JDBA's Unix or Linux Image
JDBA JDBA is offline
Registered User
 
Join Date: Apr 2014
Last Activity: 10 June 2015, 8:44 AM EDT
Location: College Park, MD
Posts: 20
Thanks: 2
Thanked 0 Times in 0 Posts


Code:
uname -a
Linux XXXXXX_1-2 2.6.32.54-0.41.TDC.1.R.1-default #1 SMP 2014-06-26 09:56:55 +0200 x86_64 x86_64 x86_64 GNU/Linux

I believe it is Suse 11.
Thank you,

Last edited by rbatte1; 06-10-2015 at 05:13 AM.. Reason: Removed colour and font formatting. Added CODE tags.
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
SYSLOGS - Where can I find FTP activities Harleyrci Solaris 1 03-08-2011 10:26 AM
Need for loop to do 2 activities dsravan Shell Programming and Scripting 3 08-16-2006 02:59 AM
patterns from logs and activities rocketkids Shell Programming and Scripting 3 02-10-2004 05:45 AM
Tracking activities of Users using a particular login. jyotipg UNIX for Advanced & Expert Users 4 08-04-2003 11:43 AM
Keeping an eye on all user activities shauche UNIX for Advanced & Expert Users 5 05-19-2003 06:07 PM



All times are GMT -4. The time now is 10:38 AM.