Re: tracing login, logout to remote syslogd daemon

RiclyLeRoy · ‎11-14-2009

I have Unix server with HP-UX B.11.00 and I'm going to trace both every logins and every logout of this system, and sending these logs to
remote syslogd daemon of another server (Fedora core 3).
This Fedora server is central log server which will receive logs from remote systems.
What do you suggest me to configure HP-UX for tracking this login and logout to remote syslogd ?

Michael Steele_2 · ‎11-14-2009

Hi

This is done automatically for you by the wtmp file, last and lastb commands.

Support Fatherhood - Stop Family Law

Johnson Punniyalingam · ‎11-14-2009

As mentioned above, all login & logout traced by wtmp,last command,

Couple of choices,

you can write a scrip to copy /sftp to your centralized log server

or Enabling Audting -> and sftp the auditlog to centralized log server

Problems are common to all, but attitude makes the difference

Michael Steele_2 · ‎11-14-2009

Hi

sftp is found within the ssh download and is not basic to HP-UX. Nor do I see the relevance here.

Support Fatherhood - Stop Family Law

Vishu · ‎11-14-2009

Hi,

/var/adm/wtmp contains all your login and logout details. You can use 'last' command to get those details. whereas 'lastb' command will give you only bad login information.

you can ftp those details acorss your central server.

Michael Steele_2 · ‎11-14-2009

Hi

Rethought this a bit tonight. This is Fedora that your using, so like HP-UX there is a 'logger' command which writes to syslog.log.

last > file
ftp file fedora:/file
cat fedora:/file | logger

Support Fatherhood - Stop Family Law

RiclyLeRoy · ‎11-15-2009

I know both last and lastb commands but format of wtmp file is specific, it's not text file so only "last" command can interpret its content.
My scope is to register every login and logout events in my Fedora log server, where syslogd daemon receives them on 514 port from remote machines.

1 - The unique mode to send events is by sftp command ? Could I use HPUX syslog to send events to central log server ?
I was interesting to send HPUX log directly to remote syslog but I can understand it's not possibile.

2- Once I move log file to central server I can route to syslog by "cat log file " | logger ?

Michael Steele_2 · ‎11-15-2009

HI

If you have syslogd already remotely set up to log into the Fedora server, then

last | logger

... will update both the local and the remote fedora syslog.log.

Support Fatherhood - Stop Family Law

Michael Steele_2 · ‎11-15-2009

Ricky

Just write a daily cron that captures today's logins from the last command and pipe it into logger.

If you looking for away to get real time updates then refer to the internals of wtmp.

Support Fatherhood - Stop Family Law

Johnson Punniyalingam · ‎11-15-2009

>>>1 - The unique mode to send events is by sftp command ? Could I use HPUX syslog to send events to central log server ?
I was interesting to send HPUX log directly to remote syslog but I can understand it's not possibile.<<<<<

Yes Its possible.
Events refering to system events (syslog) ?

if I am not you can redirect syslog to your centralized server, by editing the syslog.conf

Check below Thread,

http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1370494

Problems are common to all, but attitude makes the difference

RiclyLeRoy · ‎11-15-2009

Hi Michael,
if I undesrtand right you suugest me to use "last | logger" on my HP-UX server to send the output of "last" command to its syslogd daemon.
Syslogd daemon on HP-UX is already set to forward *.debug logs to my remote central log server (Fedora).
I didn't understand for updates in real time if there is solution on HP-UX.

Hi Johnson,
I know how to set events forwarding to remote syslogd in syslog.conf, infact I already set it on my HP-UX.
But events (to which I'm interesting) refering to system are about login and logout information, which I can find in wtmp file.

Thank you to all people for your precious help

Michael Steele_2 · ‎11-15-2009

a) have you tried last | logger? What happens?

Support Fatherhood - Stop Family Law

OldSchool · ‎11-15-2009

in syslog.conf, the

auth.info ...

facility should pick up authorozation releated info that you can then pass to the central server, but, again, may not pick up the logout information

RiclyLeRoy · ‎11-15-2009

Michael,
I'd like trying 'last | logger' command, but where I can set it ? In one script to run at system boot ?

Michael Steele_2 · ‎11-15-2009

HI

last | logger can be run from the command line. It runs once and updates syslog.log.

Set in a script that filters only today's date. Use grep and date commands. Then put it in a cron to run every midnight. Verify that it gets to both local and remote / fedora servers.

The above response from Old School and auth: info is a option you set in syslog.conf. Since you already added @fedora_host_name to the HP-UX syslog.conf you should know this file. So just add @fedora_host_name to the auth:info line.

Also every response above deserves 0 to 10 points assigned. Please make sure you do this and also close the thread when ready.

Support Fatherhood - Stop Family Law

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: tracing login, logout to remote syslogd daemon

tracing login, logout to remote syslogd daemon