-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Darryl Gregorash schrieb:
On 2007-05-29 14:33, Andreas wrote:
Hi, sorry for not using english in the other post.
I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in. This files doesn't exist on my system and I couldn't find an entry in the 2 files in /etc/syslog-ng. Could someone give me a hint how to set this auth.log up? I have to admit that I'm not really hot with this setup stuff that goes beyond yast.
Those other systems are probably using the syslogd daemon, which is the default. Syslog-ng is significantly better, so I don't know why it isn't the default.
By default, all these log messages are going to /var/log/messages. You need to create a new filter and destination in /etc/syslog-ng.conf.in for messages from facility "authpriv", run (as root) "/sbin/SuSEconfig --module syslog-ng" (this will create the .conf file from your changed .conf.in file -- note that 10.0 and later no longer use the .conf.in file), then "rcsyslog reload" (force syslog-ng to re-read its configuration file).
The following will log everything on facility authpriv to /var/log/auth.log:
filter f_authpriv { facility(authpriv); }; destination authpriv { file("/var/log/auth.log"); }; log {source(src); filter(f_authpriv), destination(authpriv); };
By default, /var/log/auth.log will be created with owner:group as root:root and permissions 0600, so security should not be an issue. If you wish group root to be able to read the file also, then change the "destination" line above to read:
destination authpriv { file("/var/log/auth.log" perm(0660)); };
The messages will still be logged to /var/log/messages. If you don't want them in there, you also need to change this line:
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
to read
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_authpriv); };
Hello! Nice tip! To avoid unreadable long logfiles editing logrotate service to rotate your logs in fixed periods, like monthly. To proceed add this extra lines to /etc/logrotate.conf: /var/log/auth.log { monthly create 0660 root root rotate 1 } It will created a auth.log.<date> after each logrotate call with the same permissions like above. Logrotate should be done via a crond-job so afaik you need not to restart the service as crond calls the script itself. With best regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRl8qjENg1DRVIGjBAQJT6Ab/dpZeTZkz9zZWbOdDXp/0G9LxLgHMate1 SzxuxokizROYy5Fw+OnAwluBXZfRte9rm73ok+df1v9j7yDbowJqoFuHRBRk55rY dA0G3lnt0eG7pUeU3PldcF1w+0FKacKorY0h+3WnZ307gPGHwOBKpAEnKnH0cmq7 HTTkA7HvIr6zRR/wAI7LFUFlq0qetQcF1ZEH0xOJ9TYfKHd8WHTbtfHcAkoOv1qp XbTDFUh9YYSnFYJGemyfrLR+AHfBlAeEXIfVLzeWBXP9Kl7SgnjbxTyqnPz8h8tw A5pxkLjvWko= =VeBs -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org