<div dir="ltr"><div>Thank you Scot, Jim, Bazsi.</div><div><br></div><div>JIm/Bazsi, thank you for the detailed explanation. </div><div>Jim, I was not aware of this unix behavior, I always learn from all you. thank you. </div><div>Bazsi, I am trying to set up auditd as suggested, thank you very much.</div><div><br></div><div>Vijay Amrut.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 10, 2017 at 8:52 PM, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">I think the answer you are looking at is auditd, which can generate audit entries for all exec() system calls. (Set up using auditctl)<div dir="auto"><br></div><div dir="auto">Then have auditd send its entries to syslog.</div><div dir="auto"><br></div><div dir="auto">The format of the audit log is a name-value format that can be parsed by linux-audit-parser(), which is built into syslog-ng. You'll probably also need to correllate multiple messages as a single event is producing multiple audit entries. That can be achieved using grouping-by(), again a parser built into syslog-ng.</div><div dir="auto"><br></div><div dir="auto">Hth,</div><div dir="auto">Bazsi</div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On May 11, 2017 3:21 AM, "Jim Hendrick" <<a href="mailto:james.r.hendrick@gmail.com" target="_blank">james.r.hendrick@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Your syslog-ng config is fine. The problem is your understanding of how sudo logs vs. commands run in a shell.<div><br></div><div>sudo the program is written specifically to log all its commands. Shells are not. They write history files, but do not send the commands to the kernel logging facility.</div><div><br></div><div>There are certainly ways to deal with this but the best answer is to use sudo. Basically do not allow users to login (or su ) to root directly. Often this is done in the sudoers file with something like </div><div><user> all, !shells</div><div><br></div><div>where the "shells" macro is expanded to whatever is installed as system shells (e.g. /bin/bash, /bin/csh, /bin/sh, etc.)</div><div><br></div><div>Why shells do not log all commands to the kernel is a topic for philosophical analysis of the development of unix :-)</div><div><br></div><div>Seriously - just say no to root shell!</div><div><br></div><div>Best,</div><div>Jim</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 10, 2017 at 7:33 PM, vijay amruth <span dir="ltr"><<a href="mailto:vijayamruth@gmail.com" target="_blank">vijayamruth@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello everyone, here is is my configuration file, I am unable to track root activity, I am able to track user activity like the commands ran etc. <div><br></div><div>For example: If I run a command as sudo, I see it in the log however the same command when switched to root is not being tracked. </div><div><br></div><div>Any help is appreciated. Thank you.<div><br></div><div><br></div><div><div>@version:3.9</div><div>@include "scl.conf"</div><div><br></div><div><br></div><div>options { threaded(yes); };</div><div><br></div><div><br></div><div><div>source s_sys {</div><div>unix-stream("/dev/log");</div><div> system();</div><div> internal();</div></div><div> </div><div>};</div><div><br></div><div><br></div><div># Destinations</div><div>##############</div><div><br></div><div>destination d_cons { file("/dev/console"); };</div><div>destination d_mesg { file("/var/log/messages"); };</div><div>destination d_auth { file("/var/log/secure"); };</div><div>destination d_mail { file("/var/log/maillog" flush_lines(10)); };</div><div>destination d_spol { file("/var/log/spooler"); };</div><div>destination d_boot { file("/var/log/boot.log"); };</div><div>destination d_cron { file("/var/log/cron"); };</div><div>destination d_kern { file("/var/log/kern" ); };</div><div>destination d_mlal { usertty("*"); };</div><div><br></div><div><br></div><div># Filters</div><div>##########</div><div><br></div><div>filter f_kernel { facility(kern); };</div><div>filter f_default { level(info..emerg) and</div><div> not (facility(mail)</div><div> or facility(authpriv) </div><div> or facility(cron)); };</div><div>filter f_auth { facility(authpriv); };</div><div>filter f_mail { facility(mail); };</div><div>filter f_emergency { level(emerg); };</div><div>filter f_news { facility(uucp) or</div><div> (facility(news) </div><div> and level(crit..emerg)); };</div><div>filter f_boot { facility(local7); };</div><div>filter f_cron { facility(cron); };</div><div><br></div><div># Log Bindings</div><div>##############</div><div><br></div><div><br></div><div>#log { source(s_sys); filter(f_kernel); destination(d_cons); };</div><div>log { source(s_sys); filter(f_kernel); destination(d_kern); };</div><div>log { source(s_sys); filter(f_default); destination(d_mesg); };</div><div>log { source(s_sys); filter(f_auth); destination(d_auth); };</div><div>log { source(s_sys); filter(f_mail); destination(d_mail); };</div><div>log { source(s_sys); filter(f_emergency); destination(d_mlal); };</div><div>log { source(s_sys); filter(f_news); destination(d_spol); };</div><div>log { source(s_sys); filter(f_boot); destination(d_boot); };</div><div>log { source(s_sys); filter(f_cron); destination(d_cron); };</div><span class="m_3252968202890052851m_-2181822739431276719HOEnZb"><font color="#888888"><div><br></div><div><br></div><div><br></div>-- <br><div class="m_3252968202890052851m_-2181822739431276719m_6123207942973798069gmail_signature"><div dir="ltr"><div>Thanks,<div>Vijay.</div></div></div></div>
</font></span></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=syslog<wbr>-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
<br></blockquote></div></div>
</div></div><br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Thanks,<div>Vijay Amrut.</div></div></div></div>
</div>