LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 10-04-2010, 06:36 PM   #1
kaplan71
Member
 
Registered: Nov 2003
Posts: 718

Rep: Reputation: 39
secure log file entries not appearing in loganalyzer


Hi there --

I am testing LogAnalyzer 3.0, with several Linux servers configured to send their log files to the central server. All Linux servers use syslog as the daemon of choice.

While it does appear that LogAnalyzer to be working somewhat, I noticed that a particular log file present on all servers, secure, does not have any entries appearing at the central server. The configuration of the secure file, via the /etc/syslog.conf file, on all servers is shown below:

Code:
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
Do I need to make any additional modifications to the syslog.conf or any other file? Thanks.
 
Old 10-04-2010, 07:00 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Unless this line is preceded by one sending this specific facility / priority pair (or everything) to your remote server it's only sending them to a file?
 
Old 10-04-2010, 08:11 PM   #3
kaplan71
Member
 
Registered: Nov 2003
Posts: 718

Original Poster
Rep: Reputation: 39
Hi there --

Thanks for your reply. If I understand you correctly, should the syntax be as follows:

Code:
*.*                                                     @<ip address>
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
I do have the line:

Code:
*.*                                                     @<ip address>
already at the beginning of the file so shouldn't that be enough?
 
Old 10-05-2010, 02:02 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,561
Blog Entries: 54

Rep: Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927Reputation: 2927
Yes it should. Can you confirm that if you use Mike Hammers famous 'logger -p authpriv.emerg -t test "Trust me, I know what I'm doing."' quote on one of the clients this message at least gets sent and received using tcpdump to capture packets on both client and server?
 
Old 10-05-2010, 02:52 PM   #5
kaplan71
Member
 
Registered: Nov 2003
Posts: 718

Original Poster
Rep: Reputation: 39
Hi there --

I ran the logger command with the 'recommended' syntax, and while the message did appear on-screen, there was no reference to in any log file on the client, nor did it appear on the central log server.

The entries from the /var/log/messages file do make it to the central server, but so far those are the only ones that do make it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can Samhain log my entries in /var/log/secure and /var/log/mesage to a central server abefroman Linux - Software 2 04-13-2008 05:13 PM
Syslog entries from PIX appearing is messages log... ddenton Linux - Server 4 04-08-2008 12:28 PM
Apache log file - logging entries late kirtimaan_bkn Linux - Newbie 1 12-10-2006 06:28 PM
entries in /var/log/secure zepplin611 Linux - Newbie 1 07-20-2004 06:57 PM
Weird entries in log file KennyK Linux - Security 4 10-17-2003 09:28 PM


All times are GMT -5. The time now is 06:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration