HPE Community
Operating System - HP-UX
1834771 Members
3272 Online
110070 Solutions
New Discussion

syslog login needs improvements

 
SOLVED
Go to solution
D Block 2
Respected Contributor

‎09-16-2004 09:56 AM

‎09-16-2004 09:56 AM

syslog login needs improvements

I'm attempting to replicate what Linux (and even Solaris) can do with "login" info to Syslog.

A simple event turn-on providing "login" identification is what I wanted. I don't want to run #last or #lastb commands into /var/adm/syslog/syslog.log.

is there anyway of improving "login" events using syslog.conf entries of:
"auth.info" or "auth.note" events ?

Is there a Patch that can do this for "telnet" and "rlogin" ?

Can we somehow or some method provide simple "login" info logging on HPUX ? (I'm not interested in running TcpWrappers.) (An HP eng., suggested using #logger in /etc/profile, which sounds good, real good, but missing some info like TTY-dev and process-id.) Granted, one can obtain this data from who -T and grep'ing for tty device.. and then running #logger. but sounds like alot of work. And, what if the /etc/profile aborts due to a bad shell command, then users won't be able to login.

is there something out there, that provides a similar look and feel of output like Linux. See Linux below.

here's some notes:

Here's what Syslog contains for:
(1) Linux,
(2) Solaris.


(1) linux:

/etc/syslog.conf

entry:
auth.info /var/log/messages

- Linux succesful login event:

Sep 16 17:52:56 tivolimn1 sshd(pam_unix)[31504]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=172.16.x.y user=root


- Linux invalid login user
Sep 16 17:57:58 tivolimn1 sshd(pam_unix)[31562]: check pass; user unknown
Sep 16 17:57:58 tivolimn1 sshd(pam_unix)[31562]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=172.16.x.y
Sep 16 17:58:03 tivolimn1 sshd(pam_unix)[31562]: check pass; user unknown


(2) Solaris: for a successful login, you get:


Sep 16 17:37:31 nhsun04 login: [ID 254462 auth.notice] ROOT LOGIN /dev/pts/7 FROM 172.16.0.209

Golf is a Good Walk Spoiled, Mark Twain.
0 Kudos
3 REPLIES 3
Bill Hassell
Honored Contributor

‎09-16-2004 11:01 AM

‎09-16-2004 11:01 AM

Solution

Re: syslog login needs improvements

HP-UX 11.11 uses PAM for all authentication. You can loggin options for ssh in /etc/opt/ssh/sshd_conf. For a normal login, you can add this to /etc/profile:

TTY=$(tty)
RHOST=$(who -muR | awk '{print $NF}')
UID=$(id -ur)
EUID=$(id -u)
RUSER=$(id -un)
logger -t "login-info" -p auth.info "logname=$LOGNAME uid=$UID euid=$EUID tty=$TTY ruser=$RUSER
rhost=$RHOST"

This only writes a syslog message when the user is successful in getting a login.


Bill Hassell, sysadmin
0 Kudos
D Block 2
Respected Contributor

‎09-16-2004 02:18 PM

‎09-16-2004 02:18 PM

Re: syslog login needs improvements

Bill,
glad to cya.. and thanks for the hints and details.. I'll give it a try..

btw, Solaris only provides log entry on a successful login. whereas, Linux also provides the un-successful login logging.

thanks,
Tom
Golf is a Good Walk Spoiled, Mark Twain.
0 Kudos
D Block 2
Respected Contributor

‎09-16-2004 11:40 PM

‎09-16-2004 11:40 PM

Re: syslog login needs improvements

Bill- thanks again. implemented this in production servers.. looks just like Linux logging to SysLog. -Tom
Golf is a Good Walk Spoiled, Mark Twain.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.