Quote:
Originally Posted by RedJoker
I am having an issue finding out when someone logs in as Root user on our Linux machines. We currently have 4 machines that all send logs to our windows server/ELA. Through ELA I can find ssh logins to root but not the direct logins. If i use putty i can use the command "Aureport --Auth" and the direct Root logins show up as usr/bin/xdm. I was wondering if anyone knew how to get ELA or how to edit the syslog-ng.conf file to forward these "xdm" logins from root to ELA. I looked at the baseline syslog-ng config file and nothing is changed from what i can see. This has been going on for about 5-6 months or so now and the only work around is SSH/Putty into each Linux server we have and running that AUReport --auth as a SU and that is to much time haha. Any help would be great!
|
You can try putting (UNTESTED, see syslog-ng docs)
Code:
# Whatever destination you have now
destination syslog { file("/var/log/syslog"); };
# Set up a filter
filter f_info { level(console.info); };
# Send the data
log { source(src); filter(f_info); destination(syslog); };
..and see if it captures console events. You may also want to shove something into the root .profile/.bashrc to run a little bash script. Use the logger command in it to shove out a message like:
Code:
User <user name> logged in to console at <date and time>
...which will do what you're after. Getting the message to syslog is all you really need.