Operating System - HP-UX
1830169 Members
4875 Online
109999 Solutions
New Discussion

Reduce the logging level of Sudo

 
ozas
Advisor

Reduce the logging level of Sudo

Hi,
Please does any one know how to reduce the logging level of sudo. It presently logs entries almost thrice in the syslog.log file.

Thanks.
16 REPLIES 16
Bill Hassell
Honored Contributor

Re: Reduce the logging level of Sudo

Are you saying that the same log entry is written 2 or 3 times? That is not normal. Check how many copies of syslogd are running:

UNIX95=1 ps -fC syslogd

Also check for duplicate lines in /etc/syslog.conf


Bill Hassell, sysadmin
ozas
Advisor

Re: Reduce the logging level of Sudo

This is the error alart I receive from the server:

esmadu07 K05000 The SYSLOG is growing at a rate greater than 60000 bytes per min

Regards.
Dennis Handly
Acclaimed Contributor

Re: Reduce the logging level of Sudo

>The SYSLOG is growing at a rate greater than 60000 bytes per min

Can you provide what's in syslog.log that's growing so fast?
ozas
Advisor

Re: Reduce the logging level of Sudo

Sep 16 10:13:18 esmadu07 sudo: root : TTY=unknown ; PWD=/opt/CA/UnicenterDSM
/caf/bin ; USER=root ; COMMAND=/bin/su.original D052CGC -c sh -c "SHLIB_PATH=/op
t/CA/SharedComponents/lib:/usr/lib:/opt/CA/CAlib:/opt/CA/SharedComponents/lib:/o
pt/CA/SharedComponents/lib:/opt/CA/UnicenterDSM/caf/lib:/opt/CA/SharedComponents
/lib;export SHLIB_PATH;/opt/CA/UnicenterDSM/caf/bin/cfURI"
Sep 16 10:13:18 esmadu07 above message repeats 2 times
Sep 16 10:13:18 esmadu07 sudo: root : TTY=unknown ; PWD=/opt/CA/UnicenterDSM
/caf/bin ; USER=root ; COMMAND=/bin/su.original B049LNU -c sh -c "SHLIB_PATH=/op
t/CA/SharedComponents/lib:/usr/lib:/opt/CA/CAlib:/opt/CA/SharedComponents/lib:/o
pt/CA/SharedComponents/lib:/opt/CA/UnicenterDSM/caf/lib:/opt/CA/SharedComponents
/lib;export SHLIB_PATH;/opt/CA/UnicenterDSM/caf/bin/cfURI"
Sep 16 10:13:18 esmadu07 su: + tty?? root-D052CGC
Sep 16 10:13:18 esmadu07 above message repeats 2 times
Sep 16 10:13:18 esmadu07 su: + tty?? root-B049LNU
Sep 16 10:13:18 esmadu07 sudo: root : TTY=unknown ; PWD=/opt/CA/UnicenterDSM
/caf/bin ; USER=root ; COMMAND=/bin/su.original M967VEC -c sh -c "SHLIB_PATH=/op
t/CA/SharedComponents/lib:/usr/lib:/opt/CA/CAlib:/opt/CA/SharedComponents/lib:/o
pt/CA/SharedComponents/lib:/opt/CA/UnicenterDSM/caf/lib:/opt/CA/SharedComponents
/lib;export SHLIB_PATH;/opt/CA/UnicenterDSM/caf/bin/cfURI"
Sep 16 10:13:19 esmadu07 above message repeats 4 times
DeafFrog
Valued Contributor

Re: Reduce the logging level of Sudo

Hi Ozas ,

I think every application log is directed to your syslog file , please look in to you syslog.conf under /etc .what all lines in syslog.conf apart from these :
mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *


Regards,
FrogIsDeaf
ozas
Advisor

Re: Reduce the logging level of Sudo

Hi,
Here is my syslog.conf:

# See syslogd(1M) for information about the format of this file.
#
mail.debug /var/adm/syslog/mail.log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *

lpr,local2.debug /tmp/PdLog2

user.info /opt/CA/UnicenterDSM/logs/dsmEventLog.log
DeafFrog
Valued Contributor

Re: Reduce the logging level of Sudo

Hi Ozas (again),

Can you put an extra entry in your sudoer file , /usr/local/etc/sudoers:

logfile

http://www.gratisoft.us/sudo/sudoers.man.html

hope this helps.

Regards,

FrogIsDeaf
ozas
Advisor

Re: Reduce the logging level of Sudo

Hi DF,
The command will not work in the sudoers file.
Bill Hassell
Honored Contributor

Re: Reduce the logging level of Sudo

Your syslog.conf file is not correct. You have two additional log files declared but you are also logging everything (except mail) to syslog. When you want another logfile, you must exclude that facility from syslog:

mail.debug /var/adm/syslog/mail.log
*.info;mail.none;lpr.none;local2.none;user.none /var/adm/syslog/syslog.log

lpr,local2.debug /tmp/PdLog2

user.info /opt/CA/UnicenterDSM/logs/dsmEventLog.log

Two very important rules about syslog.conf:

1. Each line is processed with any regard to a previous line. You can log things to 10 different files if you want. But the line for syslog.log must exclude what you want to be logged somewhere else. Otherwise, you get double logging.

2. syslog.conf must NEVER have any spaces. If a space appears ANYWHERE on a line, it is silently ignored, ie, becomes a comment. All spacing is by tab characters. Use cat -vt to list syslog.conf. It will look like this:


# local5 (ftpd) logged only to /var/adm/syslog/local5.log
# kern (kernel messages) logged only to /var/adm/syslog/kern.log
# daemon (daemon messages) logged only to /var/adm/syslog/daemon.log
# auth (authentication messages) logged only to /var/adm/syslog/auth.log
# lpr (lp messages) logged only to /var/adm/syslog/lp.log


*.info;mail.none;local0.none;local5.none;auth.none;user.none;lpr.none;daemon.notice;kern.notice;^I/var/adm/syslog/syslog.log


mail.debug^I/var/adm/syslog/mail.log
local5.info^I/var/adm/syslog/ftpd.log
auth.info^I/var/adm/syslog/auth.log
daemon.info^I/var/adm/syslog/daemon.log
kern.info^I/var/adm/syslog/kern.log
lpr.info^I/var/adm/syslog/lpr.log


Bill Hassell, sysadmin
Bill Hassell
Honored Contributor

Re: Reduce the logging level of Sudo

Also, sudo can redirect its messages to another file. Just add the line logfile=/var/adm/syslog/sudo.log to your sudoers file (man sudoers).


Bill Hassell, sysadmin
Bill Hassell
Honored Contributor

Re: Reduce the logging level of Sudo

Sorry, the complete sudoers line:

Defaults logfile=/var/adm/syslog/sudo.log


Bill Hassell, sysadmin
Dennis Handly
Acclaimed Contributor

Re: Reduce the logging level of Sudo

>Sep 16 10:13:18 esmadu07 sudo: root : ;/opt/CA/UnicenterDSM/caf/bin/cfURI"

It looks like cfURI is being run over and over.
ozas
Advisor

Re: Reduce the logging level of Sudo

Hi Bill,
What I want to achieve is to reduce the amount of logs.
When I edit the sudoers file with
logfile=/var/adm/syslog/sudo.log
It logs the logs in both sudo.log and syslog.log. When I editted the /etc/syslog.conf with
*.info;mail.none;lpr.none;local2.none;user.none /var/adm/syslog/syslog.log
It stop the logs to syslog.log and only write to sudo.log. I want some level of logs in syslog.log.
ofure
Occasional Advisor

Re: Reduce the logging level of Sudo

Hi All,

Is it possible for me to make an entry for sudo logs on /etc/syslog.conf
Bill Hassell
Honored Contributor

Re: Reduce the logging level of Sudo

@ozas: I want some level of logs in syslog.log.

According to the sudo man pages, there appear to be no controls for logging levels.

@ofure: Is it possible for me to make an entry for sudo logs on /etc/syslog.conf

No. As mentioned above, you eliminate syslog.log messages by adding this line:

Defaults logfile=/var/adm/syslog/sudo.log

to the sudoers file (using visudo).


Bill Hassell, sysadmin
ofure
Occasional Advisor

Re: Reduce the logging level of Sudo

Hi All,
What I finally did was to add the following lines into the sudoers file:

Defaults logfile=/var/adm/sudo.log
Defaults !syslog

I created a house keeping script to reduce the sudo.log everyday. This stop the multiple logs going into syslog.log.

Regards.