[syslog-ng] Unable to track root activity in syslog-ng

Scot scotrn at gmail.com
Thu May 11 01:19:48 UTC 2017


sudo is what is logging not the shell.
Either use sudo as root or disable users from using root by binding it to
console login only or look at auditd.



On Wed, May 10, 2017 at 7:33 PM, vijay amruth <vijayamruth at gmail.com> wrote:

> Hello everyone, here is is my configuration file, I am unable to track
> root activity, I am able to track user activity like the commands ran etc.
>
> For example: If I run a command as sudo, I see it in the log however the
> same command when switched to root is not being tracked.
>
> Any help is appreciated. Thank you.
>
>
> @version:3.9
> @include "scl.conf"
>
>
> options { threaded(yes); };
>
>
> source s_sys {
> unix-stream("/dev/log");
>     system();
>     internal();
>
> };
>
>
> # Destinations
> ##############
>
> destination d_cons { file("/dev/console"); };
> destination d_mesg { file("/var/log/messages"); };
> destination d_auth { file("/var/log/secure"); };
> destination d_mail { file("/var/log/maillog" flush_lines(10)); };
> destination d_spol { file("/var/log/spooler"); };
> destination d_boot { file("/var/log/boot.log"); };
> destination d_cron { file("/var/log/cron"); };
> destination d_kern { file("/var/log/kern" ); };
> destination d_mlal { usertty("*"); };
>
>
> # Filters
> ##########
>
> filter f_kernel     { facility(kern); };
> filter f_default    { level(info..emerg) and
>                         not (facility(mail)
>                         or facility(authpriv)
>                         or facility(cron)); };
> filter f_auth       { facility(authpriv); };
> filter f_mail       { facility(mail); };
> filter f_emergency  { level(emerg); };
> filter f_news       { facility(uucp) or
>                         (facility(news)
>                         and level(crit..emerg)); };
> filter f_boot   { facility(local7); };
> filter f_cron   { facility(cron); };
>
> # Log Bindings
> ##############
>
>
> #log { source(s_sys); filter(f_kernel); destination(d_cons); };
> log { source(s_sys); filter(f_kernel); destination(d_kern); };
> log { source(s_sys); filter(f_default); destination(d_mesg); };
> log { source(s_sys); filter(f_auth); destination(d_auth); };
> log { source(s_sys); filter(f_mail); destination(d_mail); };
> log { source(s_sys); filter(f_emergency); destination(d_mlal); };
> log { source(s_sys); filter(f_news); destination(d_spol); };
> log { source(s_sys); filter(f_boot); destination(d_boot); };
> log { source(s_sys); filter(f_cron); destination(d_cron); };
>
>
>
> --
> Thanks,
> Vijay.
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170510/e0db993c/attachment.html>


More information about the syslog-ng mailing list