HPE Community
Operating System - HP-UX
1833398 Members
2717 Online
110052 Solutions
New Discussion

centralize sulog

 
SOLVED
Go to solution
dongming
Frequent Advisor

‎08-22-2005 06:47 AM

‎08-22-2005 06:47 AM

centralize sulog

Hello everyone
for security reason, i'd like put the sulog of everyserver to a centralize sulog. is there configuration or software for it. or i have to write a script.
thanks
0 Kudos
Reply
9 REPLIES 9
Tim Nelson
Honored Contributor

‎08-22-2005 06:52 AM

‎08-22-2005 06:52 AM

Re: centralize sulog

no config that I am aware of.

script would be my first thought.

check for changes on each system and send only the changes to one system and append ?

0 Kudos
Reply
Raj D.
Honored Contributor

‎08-22-2005 06:52 AM

‎08-22-2005 06:52 AM

Re: centralize sulog

Hi Dongming ,

You can write a script , to collect all the files /var/adm/sulog from all the server and put in your central server with sulog.$hostname format.

And it can capture everyday say 6pm, and overwrite nextday ,

If you have ssh installed and ssh-keygen done on the central server , it will be bit easy.
Pls letus know if u need the script.

Cheers ,
RajD.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
dongming
Frequent Advisor

‎08-22-2005 07:01 AM

‎08-22-2005 07:01 AM

Re: centralize sulog

thanks for response.
i need a single centralize log file, that means when there is su happen, it write a log entry to centralize log.
by the way , how to set up ssh-keygen .
thanks
0 Kudos
Reply
Raj D.
Honored Contributor

‎08-22-2005 07:13 AM

‎08-22-2005 07:13 AM

Re: centralize sulog

Hi Dongming ,

You can write a script like following , and running in the central serve to capture all sulogs from other servers.

vi sulog.sh

#!/usr/bin/ksh
# collecting sulog from all servers.
# placing the logs in /home/dongming/sulog/
# Server list file= server.list
############################################

for i in `cat server.list`
do
echo "logging to server= $i "
scp $i:/var/adm/sulog /home/dongming/sulog/sulog.$i
done
echo " * * sulog collection completed * * "

############################################
------------------------------------

make a cron entry ..
# crontab -e

00 18 * * * /home/dongming/sulog.sh > /dev/null 2>&1

-------------------------------------
Cheers ,

RajD.
---------








" If u think u can , If u think u cannot , - You are always Right . "
Reply
Greg Vaidman
Respected Contributor

‎08-22-2005 07:16 AM

‎08-22-2005 07:16 AM

Solution

Re: centralize sulog

well, since su also reports in syslog, you could configure syslog.conf on each server to forward relevant messages to a central syslog server.

on your clients, you'd set add to syslog.conf:

auth.info: @central-server-hostname

to forward messages to your central server, and on your central server, you'd add to syslog.conf:

auth.info: /var/adm/central-sulog

you'd get a little bit of noise besides just su messages, but this would be the easiest way to set it up...

see man page for syslogd.
Reply
dongming
Frequent Advisor

‎08-22-2005 07:25 AM

‎08-22-2005 07:25 AM

Re: centralize sulog

thank Radj and greg:
i think radj's solution to collect dividul file from client to a central server.

and Greg's solution is match my requirement. maybe also log other message beside sulog, but it is ok.

thanks a lot .
0 Kudos
Reply
Raj D.
Honored Contributor

‎08-22-2005 07:36 AM

‎08-22-2005 07:36 AM

Re: centralize sulog

Hi Dongming ,

To setup ssh-keygen do the following ,
then you can login to the server without a passowrd ,

from the central server first login to your own ID:

1. $ mkdir .ssh [ from your home directory ]
2. $ ssh-keygen -t dsa [ It will generate public/private key pair named id_dsa ]

3. Create a .ssh directory , in your home directory of the other server , say in server2

4.Copy the public key to the other server i.e server2 , with this command

$ ssh server2 cat '>>' .ssh/authorized_keys2 < ~/.ssh/id_dsa.pub

Enter your password on that server , for the user name , when prompts at this command.

5. Now try ssh login , without password.
$ ssh server2 [ if same username ]
or
$ ssh username@server2


You will get the $ prompt.
$ hostname
server2
--------------------------

Cheers ,

RajD.
-------
" If u think u can , If u think u cannot , - You are always Right . "
Reply
RAC_1
Honored Contributor

‎08-22-2005 07:37 AM

‎08-22-2005 07:37 AM

Re: centralize sulog

I think with auth.info @ remote_host
you would also get user authentication on remote host and you would require to sort/grep on remote log file.
There is no substitute to HARDWORK
Reply
dongming
Frequent Advisor

‎08-22-2005 07:51 AM

‎08-22-2005 07:51 AM

Re: centralize sulog

thanks RajD and RAC
i also think there are other message by auth.info . so need sort or /grep
thanks again.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.