SYS log issues, or Event Log Analyzer issue?
I am having an issue finding out when someone logs in as Root user on our Linux machines. We currently have 4 machines that all send logs to our windows server/ELA. Through ELA I can find ssh logins to root but not the direct logins. If i use putty i can use the command "Aureport --Auth" and the direct Root logins show up as usr/bin/xdm. I was wondering if anyone knew how to get ELA or how to edit the syslog-ng.conf file to forward these "xdm" logins from root to ELA. I looked at the baseline syslog-ng config file and nothing is changed from what i can see. This has been going on for about 5-6 months or so now and the only work around is SSH/Putty into each Linux server we have and running that AUReport --auth as a SU and that is to much time haha. Any help would be great!
|
Quote:
Code:
# Whatever destination you have now Code:
User <user name> logged in to console at <date and time> |
I think most if not all system access goes through PAM.
So it is actually more safe to watch the PAM log, /var/log/secure in many distros. |
All times are GMT -5. The time now is 09:48 AM. |