SUSE 10.3: How to enable logging for network activity and etc
 

I want to have all network activity going into and out of my SUSE 10.3.
And also sshd sessions, successful and failed authentication and sessions.
Remote Administration too.

This means I should select LOG ALL at yast2 firewall?
Then which log file should I look at? At /var/log?

I don't use SuSE and I don't know YAST. However basics remain the same: logging "basic" network traffic details only requires iptables -j LOG rules for all chains, and SSH sessions get logged using PAM (/etc/pam.d/ssh.*). "Remote Administration" is just a term and does not refer to a specific method. Ask yourself *how*, or using what means, "remote administration" is done and you'll soon recognise the services, software and authentication methods that are involved.


Anything logged through the kernel, unless configured otherwise, will be handled by syslog. So looking at /etc/syslog.conf or equivalent, should show. Services and processes that have their own configuration files may use the Syslog facilities or use their own logfiles. In closing the easiest ways IMHO to see which logfiles in a directory are in use are: 'lsof -w -n +D/var/log|awk '{print $NF}'|sort|uniq' (fast) and 'find /var/log -type f -print0 2>/dev/null|xargs -0 -iL fuser 'L'' (slow).


HTH

Hmm. Just curious, but there is ulogd for iptables. Does it work through syslog as well?

Good point mentioning that. And if the docs say it will, then why wouldn't it?

Who knows? Do they? The docs I read didn't mention the type of mechanism used by the ulog target to acually write the log. But then, SuSE 10.0 didn't include ulogd, so my research might have stayed too cursory...

Yes they do.

Look at /etc/syslog-ng/syslog-ng.conf. It's well commented and references more documentation.

Thanks for the info to both of you.