LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SYS log issues, or Event Log Analyzer issue? (https://www.linuxquestions.org/questions/linux-newbie-8/sys-log-issues-or-event-log-analyzer-issue-4175616713/)

RedJoker 10-31-2017 08:53 AM
SYS log issues, or Event Log Analyzer issue?
 
I am having an issue finding out when someone logs in as Root user on our Linux machines. We currently have 4 machines that all send logs to our windows server/ELA. Through ELA I can find ssh logins to root but not the direct logins. If i use putty i can use the command "Aureport --Auth" and the direct Root logins show up as usr/bin/xdm. I was wondering if anyone knew how to get ELA or how to edit the syslog-ng.conf file to forward these "xdm" logins from root to ELA. I looked at the baseline syslog-ng config file and nothing is changed from what i can see. This has been going on for about 5-6 months or so now and the only work around is SSH/Putty into each Linux server we have and running that AUReport --auth as a SU and that is to much time haha. Any help would be great!

TB0ne 10-31-2017 09:44 AM
Quote:
Originally Posted by RedJoker (Post 5775590)
I am having an issue finding out when someone logs in as Root user on our Linux machines. We currently have 4 machines that all send logs to our windows server/ELA. Through ELA I can find ssh logins to root but not the direct logins. If i use putty i can use the command "Aureport --Auth" and the direct Root logins show up as usr/bin/xdm. I was wondering if anyone knew how to get ELA or how to edit the syslog-ng.conf file to forward these "xdm" logins from root to ELA. I looked at the baseline syslog-ng config file and nothing is changed from what i can see. This has been going on for about 5-6 months or so now and the only work around is SSH/Putty into each Linux server we have and running that AUReport --auth as a SU and that is to much time haha. Any help would be great!
You can try putting (UNTESTED, see syslog-ng docs)
Code:
# Whatever destination you have now
destination syslog { file("/var/log/syslog"); };
# Set up a filter
filter f_info { level(console.info); };
# Send the data
log { source(src); filter(f_info); destination(syslog); };
..and see if it captures console events. You may also want to shove something into the root .profile/.bashrc to run a little bash script. Use the logger command in it to shove out a message like:
Code:
User <user name> logged in to console at <date and time>
...which will do what you're after. Getting the message to syslog is all you really need.

MadeInGermany 11-02-2017 03:07 AM
I think most if not all system access goes through PAM.
So it is actually more safe to watch the PAM log, /var/log/secure in many distros.


All times are GMT -5. The time now is 09:48 AM.