Re: How to get syslogging of logins?

SOLVED

Hi All!
I found that in HP-UX 11.00 among the system utilities, using login only 'ftpd' and 'su' logs something
(user, host, etc) into syslog. rlogin, telnet
don't log anything. Is there any way to get
at least user name into syslog from telnet?
Thanks.

19 REPLIES 19

Your telnet logins get recorded in /var/adm/wtmp and are viewable via the "last" command.

Pete

Pete

Hi,
There are a few logs... /var/adm/sulog wtmp,/etc/utmp etc...
for extra configuration of syslog do a ma syslogd

All the best
Victor

Thanks for your response!
I gather syslog data reading /dev/log.
/etc/wtmp is populated another way then
syslogd.

Lev,

OK, you want this data in syslog as well. I think the entry "auth.info /var/adm/syslog/syslog.log" in /etc/syslog.conf would do what you wish. The issue "kill -HUP `cat /var/run/syslog.pid`".

Pete

Pete

auth.info doesn't turn on telnetd logging.
Thanks anyway!

auth.info will be su login. To manage telnet / rlogin we have to for utmp log file only there.

Try to audit utmp file with last command and redirect into /var/adm/syslog/logininfo.log file like that with a simple script and do it simulation with cron job,s there.

Else there is another way using profile file as,

on /etc/profile make a script line as,

if [[ $(ps -ef | grep -q "telnet") || $(ps -ef | grep -q "rlogin") ]]
then

echo "$LOGNAME is using telnet at $(date)" >> /var/adm/syslog/logininfo.log

fi

HTH.

Easy to suggest when don't know about the problem!

sorry. ps -ef will give ALL process. To get that user process then use ps only .. and do script as,

if [[ $(ps | grep -q "telnet") || $(ps | grep -q "rlogin") ]]
then

echo "$LOGNAME is using telnet at $(date)" >> /var/adm/syslog/logininfo.log

# You can add some more messages here

fi

Easy to suggest when don't know about the problem!

I believe you meant rlogind and telnetd.
But they run under root.

We can use /etc/profile for this to accomplish to get the user informations / login time / some more login informaion's.

Every login ( except cde login ) will use /etc/profile to set login informations there. We can use that login profile file to log login service informations there.

We can get the process information's of that current user with execution of ps (without any option there).

Check it by putting the following on your /etc/profile file as,

---- /etc/profile -----

# Login service logging
if [[ $(ps | grep -q "telnet") -eq 0 ]]
then

echo "$LOGNAME logs with service telnet at $(date) .. some more informations there" >> /var/adm/syslog/logininfo.log

elif [[ $( ps | grep -q "rlogin") -eq 0 ]]
then

echo "$LOGNAME logs with service rlogind at $(date) .. some more informations there" >> /var/adm/syslog/logininfo.log

fi

Check with normal user, root by login with telnet and rlogin service now. /var/adm/syslog/logininfo.log contain's entry for that.

Easy to suggest when don't know about the problem!

I have tested that changes on /etc/profile on 11.00 too.

# cat /tmp/logininfo.log
muthu logs with service telnet at Wed Sep 22 00:58:18 MDT 2004 .. some more informations there
root logs with service telnet at Wed Sep 22 00:58:47 MDT 2004 .. some more informations there

# Note: We can add more user informations with PID of shell etc there on /etc/profile file too as like last output

But one correction on using loginginfo.log that,

/var/adm/syslog directory can not be writtable for everyone. :-) So change the permission ( Don't ) else try to save the logininfo.log file at /etc/ or /tmp location or every one can write there.

Easy to suggest when don't know about the problem!

You can have a look at man inetd.

Start inetd daemon with -l option.

This enables the connection logging.
When this is enabled internet daemon logs attempted connetions to services. It also logs connections which fail the security check. This is useful when someone is repeatedly trying to access your system from some system.
Successful loging at info log level to syslog.
Security check failures at notive log level.
Hope this helps.

Thanks
Prashant

"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."

inetd -l will log informations about login service on /var/adm/syslog/syslog.log file, But it will not log about the logged users there.

Sep 22 01:16:07 hostname inetd[21045]: telnet/tcp: Connection from unknown (remote-machine) at Wed Sep 22 01:16:07 2004

like this. It is not enough to log user / root there.

It is not logging about step-up service on the same machine too. They are as,

telnet test --> rlogin localhost -l root

rlogin test --> telnet root localhost
etc... there

inetd -l will all service usage on /etc/inetd.conf file. IT will put every service usage there on syslog.log

Easy to suggest when don't know about the problem!

Prashant Zanwar!
Your solution is almost excellent!
I am so sorry thet user info is missed!
Anyway thanks a lot!

Dear Muthukumar!
You solution is good also!
thank you!

Cheers! I am glad that you have so many solutions.
Thanks
Prashant

"Intellect distinguishes between the possible and the impossible; reason distinguishes between the sensible and the senseless. Even the possible can be senseless."

The only question is why is HPUX so behind
Solaris 8,9?

Bill Hassel gave a great way to log telnet logins to syslog using a logger command in /etc/profile.

Check out this thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=697894

Regards,
Seth

or try this in /etc/profile ...

tty -s
ret=$?
if [ $ret -eq 0 ] ; then
tty="`tty | sed s:/dev/::g`"
conn_type=`ps -ef | grep $tty | grep -e sshd -e telnetd -e rlogind | grep -v grep | awk '{ print $8 " " $9 " " $10}' | sed s/://g`
echo "`date` : `whoami` : $conn_type : `hostname` : $tty" >> /tmp/logins_type.log ; chmod 666 /tmp/logins_type.log > /dev/null 2>&1
fi

Obviously, using logger here would be better than a log file in /tmp, but you can change that bit.

- Andy

the advantage of the above is that it tells you the login time for ssh, telnet and rlogin all in one place. handy if you want to know who is being a bad user and using telnet/rlogin, and who is being a good user and using ssh.

the only problem with any /etc/profile solution is that anyone can remote execute a command, but /etc/profile won't be read in that instance.

eg:
ssh server2 "echo I am not running /etc/profile!"

and the /etc/profile file will not be executed :-(

Ta

- Andy