https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908039#M763347 Yes - you have to pipe it with the logger command.<BR /><BR />I have a security system whereby I rotate the log every day at 23:55<BR /><BR /><BR />FACILITY=local1.info<BR />TAG=BOKS<BR />tail -f /var/opt/boksm/data/LOG | /opt/boksm/sbin/bkslog -f - | logger -p $FACILITY -t $TAG &amp;<BR /><BR />You should be able to do the same with sudo.<BR /><BR />Rgds...Geoff Tue, 05 Dec 2006 12:41:47 GMT Geoff Wild 2006-12-05T12:41:47Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908038#M763346 Hi everyone!<BR /><BR />Currently have SUDO set to write all the log entries to syslog. (which is the default and we will like to keep)<BR /><BR />Recently, we hired a third party company to check our logs (we are supplying them with the syslog information using the syslog.conf file)but we will like to also provide them with the SUDO activity entries. <BR /><BR />Would it be possible to push the SUDO entries to the log server and also keep an entry in the syslog file?<BR /><BR />I know that you set that in the sudoers file but will like to make sure the syslog entry will still be available in syslog.<BR /><BR />Thank you for your help.<BR /><BR />DR Tue, 05 Dec 2006 12:37:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908038#M763346 Dario_1 2006-12-05T12:37:53Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908039#M763347 Yes - you have to pipe it with the logger command.<BR /><BR />I have a security system whereby I rotate the log every day at 23:55<BR /><BR /><BR />FACILITY=local1.info<BR />TAG=BOKS<BR />tail -f /var/opt/boksm/data/LOG | /opt/boksm/sbin/bkslog -f - | logger -p $FACILITY -t $TAG &amp;<BR /><BR />You should be able to do the same with sudo.<BR /><BR />Rgds...Geoff Tue, 05 Dec 2006 12:41:47 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908039#M763347 Geoff Wild 2006-12-05T12:41:47Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908040#M763348 SUDO can be configured to use syslog, and syslog to log into a remote host. So you can have two logging locations. Tue, 05 Dec 2006 12:45:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908040#M763348 Ivan Ferreira 2006-12-05T12:45:30Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908041#M763349 using visudo add this lines:<BR /><BR />Defaults !syslog<BR />Defaults logfile=/var/adm/sudo.log <BR /><BR /><BR />this will log entries in another file. For more info see man sudoers.<BR /><BR /><BR />regards,<BR />ivan Tue, 05 Dec 2006 12:50:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908041#M763349 Ivan Krastev 2006-12-05T12:50:21Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908042#M763350 Thank you all for the answers. <BR /><BR />Geoff:<BR /><BR />I was thinking about doing something like that but I have to push the SUDO entries immediately to the company's appliance because we are getting real time response from them. <BR /><BR />Ivan:<BR /><BR />Your solution is the most appropriate but I can't come up with the correct syntax to direct and load the SUDO information to the appliance. Currently, I have the following line which is working fine but this is only uploading system generated messages.<BR /><BR />*.emerg;*.err;*.alert;kern.debug;daemon.notice;auth.info;cron.info;mail.crit @COMPANY.IP.ADDRESS<BR /><BR />All the SUDO entries have the word bmoc on them which should make this process easier but I am not able to get any information loadded to the company applicance.<BR /><BR />Ivan:<BR /><BR />My original question was generated thinking on that Default option but if I do that, I will stop sending entries to the syslog and will just create a separate log.<BR /><BR />My question in this case will be:<BR /><BR />Can I direct log entries to an external appliance? If yes, do I have to disable syslog or can I have both enabled?<BR /><BR /> Tue, 05 Dec 2006 14:10:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908042#M763350 Dario_1 2006-12-05T14:10:37Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908043#M763351 With my way - they do go immediately - bacically, as the log changes (tail -f) it is sent to the remote server.<BR /><BR />The reason for the 23:55 - is the log is quite big - so I rotate it.<BR /><BR />Rgds...Geoff Tue, 05 Dec 2006 14:38:37 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908043#M763351 Geoff Wild 2006-12-05T14:38:37Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908044#M763352 Geoff:<BR /><BR />One more question, are you pushing the entries with the logger command to a local or external file? I am trying to push these files to a centralized logging server which is external. I don't know if the -f option will allow me to do that.<BR /><BR />Thank you.<BR /><BR /> Tue, 05 Dec 2006 16:25:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908044#M763352 Dario_1 2006-12-05T16:25:06Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908045#M763353 <!--!*#-->Dario,<BR /><BR />&gt;One more question, are you pushing the entries <BR />&gt;with the logger command to a local or external file?<BR /><BR />Geof's suggestion is that if you have sudo log to its <BR />own log file, then you can also have those log entries<BR />forwarded via syslog by injecting those log<BR />entries into syslog. His tail -f script was monitoring<BR />the log file and using logger to post the log entries<BR />to syslog. If your syslog is configured for syslog fowarding,<BR />then the end result is that the sudo log messages end up<BR />in the sudo log, the local syslog, and the remote syslog. <BR /><BR />That said, since sudo can already log to syslog directly, <BR />I think the only piece you are missing is that your<BR />syslog.conf forwarding entry needs work:<BR /><BR />*.emerg;*.err;*.alert;kern.debug;daemon.notice;auth.info;cron.info;mail.crit<BR /> @COMPANY.IP.ADDRESS <BR /><BR />From the sudo docs, it looks like sudo defaults to using<BR />the "local2" facility (and this is customizable). <BR />But it's not clear what priority message are used. For example, <BR />the docs mention syslog_goodpri (defaults to notice) <BR />and syslog_badpri (defaults to alert). Are there others?<BR />Your current syslog filter would be missing local2.notice but<BR />catching local2.alert. alerts would be posted when a user<BR />authenticates incorrectly to sudo. If you leave the sudo <BR />facility at local2, then add local2.* to your syslog filter and <BR />all sudo messages will be forwarded. <BR /><BR /> Tue, 05 Dec 2006 23:57:16 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908045#M763353 PeterWolfe 2006-12-05T23:57:16Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908046#M763354 Peter<BR /><BR />Thank you for the clarification. That is totally true. The 3rd party company notified that they are getting some of the SUDO, which happens to be the alerts because I have the *.alert in the line. In order to be able to forward the rest, I will add the *.notice to the line and I will get the rest. <BR /><BR />Now, the IDS alerts I will try to get by assigning the priority to local5.alert using the logger command with the -p option and then adding the local5.alert to the syslog.conf line. That should take care of that.<BR /><BR />Thank you all for all the help.<BR /><BR />DR Wed, 06 Dec 2006 08:59:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908046#M763354 Dario_1 2006-12-06T08:59:05Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908047#M763355 If you use the standard HP-supplied sudo, the syslog facilty is LOCAL2 with the priority NOTICE for successful sudo invocations and ALERT for failed sudo commands. Like most applications, this information is never documented so you have to discover it by restarting syslogd with the -v option. Since this is really useful, I make the change permanent in /etc/rc.config.d/syslogd. The attached script can decode the special 2-char code that syslogd -v adds to syslog.<BR /> <BR />Note that /etc/syslog.conf REQUIRES tabs for each entry and silently ignores lines with spaces. Use cat -t /etc/syslog.conf to show the tabs (and spaces). Wed, 06 Dec 2006 09:07:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908047#M763355 Bill Hassell 2006-12-06T09:07:19Z https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908048#M763356 Bill:<BR /><BR />You got it. I was able to re-direct IDS data as well by using your recommendation.<BR /><BR />thank you,<BR /><BR />Dario Thu, 07 Dec 2006 17:18:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/can-sudo-be-set-to-log-entries-in-2-different-places-locally-and/m-p/3908048#M763356 Dario_1 2006-12-07T17:18:28Z