cancel
Showing results for 
Search instead for 
Did you mean: 

Audit event to syslog

Richard Munn
Frequent Advisor

Audit event to syslog

Is it possible to have audit events sent to syslog. We have a central syslog logger would be useful to use to capture auditing events.

If, not, is there an interface into the audit logger to see events as they occur then programatically post them to syslog?
10 REPLIES
Ralf Puchner
Honored Contributor

Re: Audit event to syslog

In V5.x the event manager (man evmshow etc.) do have the capability to include and filter specific messages. The old method using syslogd also works fine.

Have a look into the man-Page vor evm or into the last 2 postings in this forum.
Help() { FirstReadManual(urgently); Go_to_it;; }
Richard Munn
Frequent Advisor

Re: Audit event to syslog

Sorry, I don't quite understand the reference to EVM. As far as I know, the audit daemon does not send events to EVM nor does it have the capability to do so. So how does EVM help steer events to syslog or extract events on the fly from the audit daemon???
Ralf Puchner
Honored Contributor

Re: Audit event to syslog

Have a look to the older pointers in the forum. There is an explanation.
Help() { FirstReadManual(urgently); Go_to_it;; }
Gregory Lee_1
Regular Advisor

Re: Audit event to syslog

Richard,

Have you been able to get this to work. I have searched many forums have not been able to get an answer.

Thanks,
Greg
Ann Majeske
Honored Contributor

Re: Audit event to syslog

As far as I know there is no built in facility to have audit events sent to evm or syslog. There is the potential of far too much audit data for either of those channels to handle.

You can run the audit_tool or dxaudit to monitor audit events as they happen. You could potentially write something to process the data from there.
Gregory Lee_1
Regular Advisor

Re: Audit event to syslog

Ann,

Thanks for your response. My ultimate goal is to get failed logins sent to a centralized syslog server. I believe this can be done in linux.

Sorry I can not assign points since I'm not the author.

Thanks,
Greg
Ann Majeske
Honored Contributor

Re: Audit event to syslog

Hi Greg,

You can have the audit trails from multiple systems sent to a central system. There's information on how to set this up in the Security Manual. For V5.1a it's in section 10.8 "Auditing Across a Network". That way you'd only have to look at the audit data in one place, rather than having to log into each system, but it would still be in the audit data, not the syslog.

Ann
Gregory Lee_1
Regular Advisor

Re: Audit event to syslog

Hi Ann,

Since I need it in syslog, I'm testing using sialog and logger. Sialog is a text file that will track failed logins and logger allows for data to be placed in syslog.

Any thoughts?

Thanks,
Greg
Ann Majeske
Honored Contributor

Re: Audit event to syslog

Hi Greg,

sialog was really designed as a debugging tool, not to be used all the time for logging. So, what you're proposing is not supported and thus there's no guarantee like the audit subsystem supplies that all logins and logouts would be logged (e.g. the file could be unwritable or the disk could fill up). But, with those caveats, I don't see any reason why it wouldn't work.

Ann
Gregory Lee_1
Regular Advisor

Re: Audit event to syslog

Ann,

Thanks for the info, I might reconsider your first thought of centralizing the audit data on one of the Unix servers.

My hope was to use this Windows application that can centralize all Windows server and workstation event logs and syslogs into one database that has alert capabilities. I'm running a demo of the application and it works great except for the Unix failed logins issue.

Thanks again,
Greg

Here's an IOU for 10 points.