LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-31-2017, 09:53 AM   #1
RedJoker
LQ Newbie
 
Registered: Oct 2017
Posts: 1

Rep: Reputation: Disabled
SYS log issues, or Event Log Analyzer issue?


I am having an issue finding out when someone logs in as Root user on our Linux machines. We currently have 4 machines that all send logs to our windows server/ELA. Through ELA I can find ssh logins to root but not the direct logins. If i use putty i can use the command "Aureport --Auth" and the direct Root logins show up as usr/bin/xdm. I was wondering if anyone knew how to get ELA or how to edit the syslog-ng.conf file to forward these "xdm" logins from root to ELA. I looked at the baseline syslog-ng config file and nothing is changed from what i can see. This has been going on for about 5-6 months or so now and the only work around is SSH/Putty into each Linux server we have and running that AUReport --auth as a SU and that is to much time haha. Any help would be great!
 
Old 10-31-2017, 10:44 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 22,217

Rep: Reputation: 5962Reputation: 5962Reputation: 5962Reputation: 5962Reputation: 5962Reputation: 5962Reputation: 5962Reputation: 5962Reputation: 5962Reputation: 5962Reputation: 5962
Quote:
Originally Posted by RedJoker View Post
I am having an issue finding out when someone logs in as Root user on our Linux machines. We currently have 4 machines that all send logs to our windows server/ELA. Through ELA I can find ssh logins to root but not the direct logins. If i use putty i can use the command "Aureport --Auth" and the direct Root logins show up as usr/bin/xdm. I was wondering if anyone knew how to get ELA or how to edit the syslog-ng.conf file to forward these "xdm" logins from root to ELA. I looked at the baseline syslog-ng config file and nothing is changed from what i can see. This has been going on for about 5-6 months or so now and the only work around is SSH/Putty into each Linux server we have and running that AUReport --auth as a SU and that is to much time haha. Any help would be great!
You can try putting (UNTESTED, see syslog-ng docs)
Code:
# Whatever destination you have now
destination syslog { file("/var/log/syslog"); };
# Set up a filter
filter f_info { level(console.info); };
# Send the data
log { source(src); filter(f_info); destination(syslog); };
..and see if it captures console events. You may also want to shove something into the root .profile/.bashrc to run a little bash script. Use the logger command in it to shove out a message like:
Code:
User <user name> logged in to console at <date and time>
...which will do what you're after. Getting the message to syslog is all you really need.
 
1 members found this post helpful.
Old 11-02-2017, 04:07 AM   #3
MadeInGermany
Senior Member
 
Registered: Dec 2011
Location: Simplicity
Posts: 1,265

Rep: Reputation: 580Reputation: 580Reputation: 580Reputation: 580Reputation: 580Reputation: 580
I think most if not all system access goes through PAM.
So it is actually more safe to watch the PAM log, /var/log/secure in many distros.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Log Analyzer error lce411 Linux - Software 1 09-16-2012 03:32 PM
best iptables log analyzer Pacifiste95 Linux - Security 2 07-15-2011 07:52 AM
squid-log analyzer OR a good bandwidth analyzer isaaclw Linux - Server 5 06-16-2010 05:17 AM
log analyzer MrSandman Linux - Software 2 09-26-2004 02:38 AM
Log analyzer? subnet_rx Linux - Security 2 11-06-2001 07:02 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration