HPE Community
Operating System - HP-UX
1825512 Members
1955 Online
109681 Solutions
New Discussion юеВ

Can sudo be set to log entries in 2 different places (locally and externally)

 
SOLVED
Go to solution
Dario_1
Trusted Contributor

тАО12-05-2006 04:37 AM

тАО12-05-2006 04:37 AM

Can sudo be set to log entries in 2 different places (locally and externally)

Hi everyone!

Currently have SUDO set to write all the log entries to syslog. (which is the default and we will like to keep)

Recently, we hired a third party company to check our logs (we are supplying them with the syslog information using the syslog.conf file)but we will like to also provide them with the SUDO activity entries.

Would it be possible to push the SUDO entries to the log server and also keep an entry in the syslog file?

I know that you set that in the sudoers file but will like to make sure the syslog entry will still be available in syslog.

Thank you for your help.

DR
0 Kudos
Reply
10 REPLIES 10
Geoff Wild
Honored Contributor

тАО12-05-2006 04:41 AM

тАО12-05-2006 04:41 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

Yes - you have to pipe it with the logger command.

I have a security system whereby I rotate the log every day at 23:55


FACILITY=local1.info
TAG=BOKS
tail -f /var/opt/boksm/data/LOG | /opt/boksm/sbin/bkslog -f - | logger -p $FACILITY -t $TAG &

You should be able to do the same with sudo.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО12-05-2006 04:45 AM

тАО12-05-2006 04:45 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

SUDO can be configured to use syslog, and syslog to log into a remote host. So you can have two logging locations.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Ivan Krastev
Honored Contributor

тАО12-05-2006 04:50 AM

тАО12-05-2006 04:50 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

using visudo add this lines:

Defaults !syslog
Defaults logfile=/var/adm/sudo.log


this will log entries in another file. For more info see man sudoers.


regards,
ivan
0 Kudos
Reply
Dario_1
Trusted Contributor

тАО12-05-2006 06:10 AM

тАО12-05-2006 06:10 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

Thank you all for the answers.

Geoff:

I was thinking about doing something like that but I have to push the SUDO entries immediately to the company's appliance because we are getting real time response from them.

Ivan:

Your solution is the most appropriate but I can't come up with the correct syntax to direct and load the SUDO information to the appliance. Currently, I have the following line which is working fine but this is only uploading system generated messages.

*.emerg;*.err;*.alert;kern.debug;daemon.notice;auth.info;cron.info;mail.crit @COMPANY.IP.ADDRESS

All the SUDO entries have the word bmoc on them which should make this process easier but I am not able to get any information loadded to the company applicance.

Ivan:

My original question was generated thinking on that Default option but if I do that, I will stop sending entries to the syslog and will just create a separate log.

My question in this case will be:

Can I direct log entries to an external appliance? If yes, do I have to disable syslog or can I have both enabled?

0 Kudos
Reply
Geoff Wild
Honored Contributor

тАО12-05-2006 06:38 AM

тАО12-05-2006 06:38 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

With my way - they do go immediately - bacically, as the log changes (tail -f) it is sent to the remote server.

The reason for the 23:55 - is the log is quite big - so I rotate it.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
Reply
Dario_1
Trusted Contributor

тАО12-05-2006 08:25 AM

тАО12-05-2006 08:25 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

Geoff:

One more question, are you pushing the entries with the logger command to a local or external file? I am trying to push these files to a centralized logging server which is external. I don't know if the -f option will allow me to do that.

Thank you.

0 Kudos
Reply
PeterWolfe
Respected Contributor

тАО12-05-2006 03:57 PM

тАО12-05-2006 03:57 PM

Solution

Re: Can sudo be set to log entries in 2 different places (locally and externally)

Dario,

>One more question, are you pushing the entries
>with the logger command to a local or external file?

Geof's suggestion is that if you have sudo log to its
own log file, then you can also have those log entries
forwarded via syslog by injecting those log
entries into syslog. His tail -f script was monitoring
the log file and using logger to post the log entries
to syslog. If your syslog is configured for syslog fowarding,
then the end result is that the sudo log messages end up
in the sudo log, the local syslog, and the remote syslog.

That said, since sudo can already log to syslog directly,
I think the only piece you are missing is that your
syslog.conf forwarding entry needs work:

*.emerg;*.err;*.alert;kern.debug;daemon.notice;auth.info;cron.info;mail.crit
@COMPANY.IP.ADDRESS

From the sudo docs, it looks like sudo defaults to using
the "local2" facility (and this is customizable).
But it's not clear what priority message are used. For example,
the docs mention syslog_goodpri (defaults to notice)
and syslog_badpri (defaults to alert). Are there others?
Your current syslog filter would be missing local2.notice but
catching local2.alert. alerts would be posted when a user
authenticates incorrectly to sudo. If you leave the sudo
facility at local2, then add local2.* to your syslog filter and
all sudo messages will be forwarded.

Reply
Dario_1
Trusted Contributor

тАО12-06-2006 12:59 AM

тАО12-06-2006 12:59 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

Peter

Thank you for the clarification. That is totally true. The 3rd party company notified that they are getting some of the SUDO, which happens to be the alerts because I have the *.alert in the line. In order to be able to forward the rest, I will add the *.notice to the line and I will get the rest.

Now, the IDS alerts I will try to get by assigning the priority to local5.alert using the logger command with the -p option and then adding the local5.alert to the syslog.conf line. That should take care of that.

Thank you all for all the help.

DR
0 Kudos
Reply
Bill Hassell
Honored Contributor

тАО12-06-2006 01:07 AM

тАО12-06-2006 01:07 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

If you use the standard HP-supplied sudo, the syslog facilty is LOCAL2 with the priority NOTICE for successful sudo invocations and ALERT for failed sudo commands. Like most applications, this information is never documented so you have to discover it by restarting syslogd with the -v option. Since this is really useful, I make the change permanent in /etc/rc.config.d/syslogd. The attached script can decode the special 2-char code that syslogd -v adds to syslog.

Note that /etc/syslog.conf REQUIRES tabs for each entry and silently ignores lines with spaces. Use cat -t /etc/syslog.conf to show the tabs (and spaces).


Bill Hassell, sysadmin
Reply
Dario_1
Trusted Contributor

тАО12-07-2006 09:18 AM

тАО12-07-2006 09:18 AM

Re: Can sudo be set to log entries in 2 different places (locally and externally)

Bill:

You got it. I was able to re-direct IDS data as well by using your recommendation.

thank you,

Dario
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.