HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

tracing login, logout to remote syslogd daemon

 
RiclyLeRoy
Frequent Advisor

tracing login, logout to remote syslogd daemon

I have Unix server with HP-UX B.11.00 and I'm going to trace both every logins and every logout of this system, and sending these logs to
remote syslogd daemon of another server (Fedora core 3).
This Fedora server is central log server which will receive logs from remote systems.
What do you suggest me to configure HP-UX for tracking this login and logout to remote syslogd ?
14 REPLIES
Michael Steele_2
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

Hi


This is done automatically for you by the wtmp file, last and lastb commands.
Support Fatherhood - Stop Family Law
Johnson Punniyalingam
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

As mentioned above, all login & logout traced by wtmp,last command,

Couple of choices,

you can write a scrip to copy /sftp to your centralized log server

or Enabling Audting -> and sftp the auditlog to centralized log server
Problems are common to all, but attitude makes the difference
Michael Steele_2
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

Hi

sftp is found within the ssh download and is not basic to HP-UX. Nor do I see the relevance here.
Support Fatherhood - Stop Family Law
Vishu
Trusted Contributor

Re: tracing login, logout to remote syslogd daemon

Hi,

/var/adm/wtmp contains all your login and logout details. You can use 'last' command to get those details. whereas 'lastb' command will give you only bad login information.

you can ftp those details acorss your central server.
Michael Steele_2
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

Hi

Rethought this a bit tonight. This is Fedora that your using, so like HP-UX there is a 'logger' command which writes to syslog.log.

last > file
ftp file fedora:/file
cat fedora:/file | logger

Support Fatherhood - Stop Family Law
RiclyLeRoy
Frequent Advisor

Re: tracing login, logout to remote syslogd daemon

I know both last and lastb commands but format of wtmp file is specific, it's not text file so only "last" command can interpret its content.
My scope is to register every login and logout events in my Fedora log server, where syslogd daemon receives them on 514 port from remote machines.

1 - The unique mode to send events is by sftp command ? Could I use HPUX syslog to send events to central log server ?
I was interesting to send HPUX log directly to remote syslog but I can understand it's not possibile.

2- Once I move log file to central server I can route to syslog by "cat log file " | logger ?
Michael Steele_2
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

HI

If you have syslogd already remotely set up to log into the Fedora server, then

last | logger

... will update both the local and the remote fedora syslog.log.
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

Ricky

Just write a daily cron that captures today's logins from the last command and pipe it into logger.

If you looking for away to get real time updates then refer to the internals of wtmp.
Support Fatherhood - Stop Family Law
Johnson Punniyalingam
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

>>>1 - The unique mode to send events is by sftp command ? Could I use HPUX syslog to send events to central log server ?
I was interesting to send HPUX log directly to remote syslog but I can understand it's not possibile.<<<<<

Yes Its possible.
Events refering to system events (syslog) ?

if I am not you can redirect syslog to your centralized server, by editing the syslog.conf

Check below Thread,

http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1370494


Problems are common to all, but attitude makes the difference
RiclyLeRoy
Frequent Advisor

Re: tracing login, logout to remote syslogd daemon

Hi Michael,
if I undesrtand right you suugest me to use "last | logger" on my HP-UX server to send the output of "last" command to its syslogd daemon.
Syslogd daemon on HP-UX is already set to forward *.debug logs to my remote central log server (Fedora).
I didn't understand for updates in real time if there is solution on HP-UX.

Hi Johnson,
I know how to set events forwarding to remote syslogd in syslog.conf, infact I already set it on my HP-UX.
But events (to which I'm interesting) refering to system are about login and logout information, which I can find in wtmp file.

Thank you to all people for your precious help

Michael Steele_2
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

a) have you tried last | logger? What happens?
Support Fatherhood - Stop Family Law
OldSchool
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

in syslog.conf, the

auth.info ...

facility should pick up authorozation releated info that you can then pass to the central server, but, again, may not pick up the logout information
RiclyLeRoy
Frequent Advisor

Re: tracing login, logout to remote syslogd daemon

Michael,
I'd like trying 'last | logger' command, but where I can set it ? In one script to run at system boot ?
Michael Steele_2
Honored Contributor

Re: tracing login, logout to remote syslogd daemon

HI

last | logger can be run from the command line. It runs once and updates syslog.log.

Set in a script that filters only today's date. Use grep and date commands. Then put it in a cron to run every midnight. Verify that it gets to both local and remote / fedora servers.

The above response from Old School and auth: info is a option you set in syslog.conf. Since you already added @fedora_host_name to the HP-UX syslog.conf you should know this file. So just add @fedora_host_name to the auth:info line.

Also every response above deserves 0 to 10 points assigned. Please make sure you do this and also close the thread when ready.
Support Fatherhood - Stop Family Law