correct sudo logging in RedHat
 

Greetz all,

I'm trying to set up sudo to log to /var/log/sudo and have run into the problem that instead of logging only sudo commands, my entire system log is writing to this file. (RH 7.2)

I've added the following lines to the bottom of my /etc/syslog.conf:

!sudo
*.* /var/log/sudo

And then touch'ed the file /var/log/sudo and HUP'd the syslogd.

I've mirrored this config from a BSD box I'm running also, but instead of logging only sudo activity, I'm logging every event in syslog to /var/log/sudo. I susprect that it is because I specified *.* for the events, but like I said, this is mirroring a BSD config that functions correctly. Any hints?
TIA

sudo logging
 

I work primarily with AIX.

You're right the *.* will pick up all loggins.

You can use the sudoers file (visudo) and add the following entry which will only log sudo commands:

Defaults: log_year, logfile=/var/log/sudo.log

(Use tab to type "log_year,...)

This will log only the current host.

If you want to also log to an alternate host, you can use the /etc/syslog.conf, which is what you're probably using now.

You can read more about it at: www.komar.org/pres/sudo/syslog14.html for syslog.conf entries.

IBM support suggested that you can use "local2.debug" instead of *.* or "local2.info"

I'm trying to get sudo to log using syslogd, but no success - not even with *.*

Hope this helps.