On 2007-05-29 14:33, Andreas wrote:
Hi, sorry for not using english in the other post.
I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in. This files doesn't exist on my system and I couldn't find an entry in the 2 files in /etc/syslog-ng. Could someone give me a hint how to set this auth.log up? I have to admit that I'm not really hot with this setup stuff that goes beyond yast.
Those other systems are probably using the syslogd daemon, which is the default. Syslog-ng is significantly better, so I don't know why it isn't the default. By default, all these log messages are going to /var/log/messages. You need to create a new filter and destination in /etc/syslog-ng.conf.in for messages from facility "authpriv", run (as root) "/sbin/SuSEconfig --module syslog-ng" (this will create the .conf file from your changed .conf.in file -- note that 10.0 and later no longer use the .conf.in file), then "rcsyslog reload" (force syslog-ng to re-read its configuration file). The following will log everything on facility authpriv to /var/log/auth.log: filter f_authpriv { facility(authpriv); }; destination authpriv { file("/var/log/auth.log"); }; log {source(src); filter(f_authpriv), destination(authpriv); }; By default, /var/log/auth.log will be created with owner:group as root:root and permissions 0600, so security should not be an issue. If you wish group root to be able to read the file also, then change the "destination" line above to read: destination authpriv { file("/var/log/auth.log" perm(0660)); }; The messages will still be logged to /var/log/messages. If you don't want them in there, you also need to change this line: filter f_messages { not facility(news, mail) and not filter(f_iptables); }; to read filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_authpriv); }; -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org