Your syslog-ng config is fine. The problem is your understanding of how sudo logs vs. commands run in a shell. sudo the program is written specifically to log all its commands. Shells are not. They write history files, but do not send the commands to the kernel logging facility. There are certainly ways to deal with this but the best answer is to use sudo. Basically do not allow users to login (or su ) to root directly. Often this is done in the sudoers file with something like <user> all, !shells where the "shells" macro is expanded to whatever is installed as system shells (e.g. /bin/bash, /bin/csh, /bin/sh, etc.) Why shells do not log all commands to the kernel is a topic for philosophical analysis of the development of unix :-) Seriously - just say no to root shell! Best, Jim On Wed, May 10, 2017 at 7:33 PM, vijay amruth <vijayamruth@gmail.com> wrote:
Hello everyone, here is is my configuration file, I am unable to track root activity, I am able to track user activity like the commands ran etc.
For example: If I run a command as sudo, I see it in the log however the same command when switched to root is not being tracked.
Any help is appreciated. Thank you.
@version:3.9 @include "scl.conf"
options { threaded(yes); };
source s_sys { unix-stream("/dev/log"); system(); internal();
};
# Destinations ##############
destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern" ); }; destination d_mlal { usertty("*"); };
# Filters ##########
filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };
# Log Bindings ##############
#log { source(s_sys); filter(f_kernel); destination(d_cons); }; log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };
-- Thanks, Vijay.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq