| SHARE: |
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
██ ██
█▌ - AUDITING USERS WITH SYSLOG-NG - █▌
█▌ █▌
█ ▐▌
█ Syslog-ng (ng=next generation) site is HERE, man page HERE, FAQ is HERE. ▐▌
█ This is not just used to log users but a replacement to your syslog. From ▐▌
█ the syslog-ng information: "The application can operate in server or agent ▐▌
█ mode, and - apart from UDP - supports the reliable TCP and the encrypted ▐▌
█ TLS protocols. That way syslog-ng can be used to create flexible and ▐▌
█ reliable logging infrastructure even in heterogeneous environments." ▐▌
█ "syslog-ng reads and logs messages to the system console, log files, other ▐▌
█ machines and/or users as specified by its configuration file." ▐▌
█ ▐▌
█ Note that syslog-ng is a logger only. It does not report. It is up to you ▐▌
█ to use a method to parse/view your logs. Find a list of a variety of log ▐▌
█ analysis programs to help you do this; left menu 'LOG ANALYZERS-PARSERS'. ▐▌
█ Syslog-ng messages can be piped into a MySQL data base for a beautiful web ▐▌
█ based graphical interface using LogZilla <- UPDATE: LogZilla no longer ▐▌
█ offers a free license (30 day demo only), or using Splunk, (tutorial HERE).▐▌
█ ▐▌
█ INSTALL: ▐▌
█ ```````` ▐▌
█ View HERE, or HERE if you want to install in chroot jail, otherwise: ▐▌
█ su ▐▌
█ aptitude update ▐▌
█ aptitude install syslog-ng ▐▌
█ y ▐▌
█ ▐▌
█ Output will be similar to: ▐▌
█ [snip] ▐▌
█ The following NEW packages will be installed: ▐▌
█ libevtlog0{a} syslog-ng ▐▌
█ The following packages will be REMOVED: ▐▌
█ klogd{a} sysklogd{a} ▐▌
█ [snip] ▐▌
█ Removing klogd ... ▐▌
█ Stopping kernel log daemon.... ▐▌
█ Removing sysklogd ... ▐▌
█ Stopping system log daemon.... ▐▌
█ [snip] ▐▌
█ Setting up libevtlog0 (0.2.8~1-2) ... ▐▌
█ Setting up syslog-ng (2.0.9-4.1) ... ▐▌
█ Starting system logging: syslog-ng. ▐▌
█ [snip] ▐▌
█ ▐▌
█ ps x ▐▌
█ 13395 ? Ss 0:00 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid ▐▌
█ ▐▌
█ Syslog-ng will be installed with the service to run after reboot (2-5), ▐▌
█ you need not manually set it. If you like to view its settings: ▐▌
█ sysv-rc-conf ▐▌
█ It will have this: ▐▌
█ syslog-ng [ ] [X] [X] [X] [X] [ ] [ ] [ ] ▐▌
█ ▐▌
█ Syslog-ng is highly configurable. Such things as alert you, filters, ▐▌
█ logging sent to multiple destinations such as another server to prevent ▐▌
█ tampering of the logs, log or not log x programs, log per host, etc. View ▐▌
█ HERE for all syslog-ng.conf default settings in an easy to view format. ▐▌
█ There are many other settings you can add to suit your needs. ▐▌
█ ▐▌
█ FILES: ▐▌
█ `````` ▐▌
█ Default configuration file is here, read it, make changes to suit your ▐▌
█ needs: ▐▌
█ cat /etc/syslog-ng/syslog-ng.conf ▐▌
█ Can set variables here also: ▐▌
█ cat /etc/default/syslog-ng ▐▌
█ Process ID: ▐▌
█ cat /var/run/syslog-ng.pid ▐▌
█ Log: ▐▌
█ /var/log/syslog ▐▌
█ And of course it will now take over the writing the normal syslog logs: ▐▌
█ /var/log/auth.log ▐▌
█ /var/log/daemon.log ▐▌
█ /var/log/debug ▐▌
█ /var/log/kern.log ▐▌
█ /var/log/mail.err ▐▌
█ /var/log/mail.log ▐▌
█ /var/log/messages ▐▌
█ /var/log/user.log ▐▌
█ /var/log/uucp.log ▐▌
█ ▐▌
█ COMMANDS: ▐▌
█ ````````` ▐▌
█ man syslog-ng ▐▌
█ To restart syslog-ng: ▐▌
█ /etc/init.d/syslog-ng restart ▐▌
█ ▐▌
█ CRON LOGS: ▐▌
█ `````````` ▐▌
█ A feature of syslog-ng is that you can have your cron jobs log to a ▐▌
█ separate file, instead of mixing with the other logs. To enable this ▐▌
█ feature: ▐▌
█ pico /etc/syslog-ng/syslog-ng.conf ▐▌
█ Has this: ▐▌
█ # this is commented out in the default syslog.conf ▐▌
█ # cron.* /var/log/cron.log ▐▌
█ #log { ▐▌
█ # source(s_all); ▐▌
█ # filter(f_cron); ▐▌
█ # destination(df_cron); ▐▌
█ #}; ▐▌
█ ▐▌
█ Change to: ▐▌
█ # this is commented out in the default syslog.conf ▐▌
█ # cron.* /var/log/cron.log ▐▌
█ log { ▐▌
█ source(s_all); ▐▌
█ filter(f_cron); ▐▌
█ destination(df_cron); ▐▌
█ }; ▐▌
█ ▐▌
█ ▐▌
█ /etc/init.d/syslog-ng restart ▐▌
█ Wait until a cron job has been run, then you'll have the file 'cron.log': ▐▌
█ ls -al /var/log/cron* ▐▌
█ cat /var/log/cron.log ▐▌
█ ▐▌
█ syslog-ng will rotate cron.log as well, you needn't do anything, it's ▐▌
█ already stated in its rotation script: ▐▌
█ cat /etc/logrotate.d/syslog-ng ▐▌
█ ▐▌
█ LOG ROTATION TROUBLE SHOOTING NOTE: ▐▌
█ ``````````````````````````````````` ▐▌
█ Syslog-ng will install its own logrotation script. IF you have ▐▌
█ previously set up custom settings for any your standard Debian logs, check ▐▌
█ if syslog-ng has also created a setting for any of these logs here: ▐▌
█ cat /etc/logrotate.d/syslog-ng ▐▌
█ For example I had added my own settings for auth.log and then after ▐▌
█ installing syslog-ng I noticed root had received e-mails stating: ▐▌
█ /etc/cron.daily/logrotate: ▐▌
█ error: /etc/logrotate.conf:41 duplicate log entry for /var/log/auth.log ▐▌
█ run-parts: /etc/cron.daily/logrotate exited with return code 1 ▐▌
█ ▐▌
█ To find the culprit of this error I did: ▐▌
█ grep -r auth.log /etc/* ▐▌
█ ▐▌
█ Which then I discoverd syslog-ng had this file listed in its rotation. So ▐▌
█ then I removed my custom settings (on /etc/logrotate.conf) and added them ▐▌
█ to syslog-ng rotation settings like this: ▐▌
█ pico /etc/logrotate.d/syslog-ng ▐▌
█ Has this: ▐▌
█ /var/log/auth.log { ▐▌
█ rotate 4 ▐▌
█ missingok ▐▌
█ notifempty ▐▌
█ weekly ▐▌
█ compress ▐▌
█ } ▐▌
█ ▐▌
█ I changed it to: ▐▌
█ /var/log/auth.log { ▐▌
█ rotate 3 ▐▌
█ notifempty ▐▌
█ daily ▐▌
█ delaycompress ▐▌
█ compress ▐▌
█ create 640 root adm ▐▌
█ mailfirst ▐▌
█ mail my_email@gmail.com ▐▌
█ } ▐▌
█ ▐▌
█ Then you'll need to restart syslog-ng: ▐▌
█ /etc/init.d/syslog-ng restart ▐▌
█ ▐▌
█ If you want to test logrotation without actually rotating: ▐▌
█ logrotate --debug --force /etc/logrotate.d/syslog-ng ▐▌
█ You might see an error stating no such file: ▐▌
█ [snip] ▐▌
█ error: failed to open /var/log/auth.log.1.gz for mailing: No such file or ▐▌
█ directory ▐▌
█ [snip] ▐▌
█ ▐▌
█ Then to rotate manually: ▐▌
█ logrotate --force -v /etc/logrotate.d/syslog-ng ▐▌
█ Which might also produce an error IF auth.log has grown larger then your ▐▌
█ e-mail client is set up to send- that is IF you have it set up to be ▐▌
█ e-mailed out: ▐▌
█ [snip] ▐▌
█ Can't send mail: sendmail process failed with error code 1 ▐▌
█ [snip] ▐▌
█ ▐▌
█ So then I just ran the manual rotation one more time to make sure all ▐▌
█ worked now that size was down (rotation made a new file): ▐▌
█ logrotate --force -v /etc/logrotate.d/syslog-ng ▐▌
█ Received my e-mail again noticed that with the different settings it had, ▐▌
█ it left 2 stragglers from 10 days previous (when the error started): ▐▌
█ ls -al /var/log ▐▌
█ 1 root adm 5305 2010-07-28 11:00 auth.log ▐▌
█ 1 root adm 36891 2010-07-18 06:47 auth.log.0 ▐▌
█ 1 root adm 4561 2010-07-28 10:59 auth.log.1 ▐▌
█ 1 root adm 1292972 2010-07-18 06:25 auth.log.2 ▐▌
█ 1 root adm 3775 2010-07-28 10:57 auth.log.2.gz ▐▌
█ 1 root adm 508 2010-07-28 10:24 auth.log.3.gz ▐▌
█ ▐▌
█ Or you might have received the error: ▐▌
█ old log /var/log/auth.log.0.gz does not exist ▐▌
█ So then I did: ▐▌
█ gzip /var/log/auth.log.0 ▐▌
█ gzip /var/log/auth.log.2 ▐▌
█ y ▐▌
█ ▐▌
█ logrotate --force -v /etc/logrotate.d/syslog-ng ▐▌
█ And all is fine now: ▐▌
█ ls -al /var/log/auth.* ▐▌
█ Then download auth.log.2.gz if you need it for your records before it is ▐▌
█ rotated out. ▐▌
█ ▐▌
█ //---------------------------------------------------------------------- ▐▌
█ ▐▌
█ If you find mistakes, have suggestions, and or questions please post at ▐▌
█ mewbies forum HERE - thank you. ▐▌
█ ▐▌
█ Last update on 06 Aug '10 ▐▌
█ ▐▌
█▌ █▌
█▌ - mewbies.com - █▌
█▌ █▌
██▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄██