[opensuse-security] Need help with SuSE 9.3 and /var/log/auth.log
Hi, sorry for not using english in the other post. I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in. This files doesn't exist on my system and I couldn't find an entry in the 2 files in /etc/syslog-ng. Could someone give me a hint how to set this auth.log up? I have to admit that I'm not really hot with this setup stuff that goes beyond yast. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Tuesday 29 May 2007 22:33, Andreas wrote:
Could someone give me a hint how to set this auth.log up?
All I have is this line in /etc/syslog.conf auth,authpriv.* -/var/log/auth.log Paul -- Paul Reeves http://www.fleetriver.com --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in.
On SuSE, all messages go to /var/log/messages (except for mail, which goes to /var/log/mail). Of course you can also log auth messages to a separate auth.log, just copy the lines from syslog-ng.conf from another system to your box and restart the syslog daemon (rcsyslog restart). But then they would be duplicated and I find it more convenient to have everything in one file, than looking for messages in the wrong file. Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi, next Lines in syslog-ng.conf will copy all messages into _one_ file. This may help to find if there is any message. (And like Markus, i love to find everything in one place. ) Do not forget to chmod 600 and chown root:root /var/log/allmessages! # # enable this, if you want to keep all messages in one file destination allmessages { file("/var/log/allmessages"); }; log { source(src); destination(allmessages); }; Dirk Markus Gaugusch schrieb:
I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in.
On SuSE, all messages go to /var/log/messages (except for mail, which goes to /var/log/mail). Of course you can also log auth messages to a separate auth.log, just copy the lines from syslog-ng.conf from another system to your box and restart the syslog daemon (rcsyslog restart). But then they would be duplicated and I find it more convenient to have everything in one file, than looking for messages in the wrong file.
Markus
-- TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Rosa Igl -------------------------------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: opensuse-security@opensuse.org # Dateianhänge: 0 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-05-30 at 09:08 +0200, Dirk Schreiner wrote:
Hi, next Lines in syslog-ng.conf will copy all messages into _one_ file. This may help to find if there is any message. (And like Markus, i love to find everything in one place. ) Do not forget to chmod 600 and chown root:root /var/log/allmessages!
Depends... If you have a mail server, the mail messages in the messages file are so much that you can miss important things there. One reason to send auth messages to their own file (and not to the main one) is because they may contain sensitive data (passwords, depending on cofig). There are cases when it is important to separate some messages on diferent files for easier inspection. Sometimes it is better to have everyting in the same place to find relations between different events. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFGXf83tTMYHG2NR9URAjX9AJ48kvYTgkD2shKyl767sfOb+oaGLgCfdQb0 9PkUSWq39S32AekMsEKl8U8= =/7m7 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 2007-05-29 14:33, Andreas wrote:
Hi, sorry for not using english in the other post.
I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in. This files doesn't exist on my system and I couldn't find an entry in the 2 files in /etc/syslog-ng. Could someone give me a hint how to set this auth.log up? I have to admit that I'm not really hot with this setup stuff that goes beyond yast.
Those other systems are probably using the syslogd daemon, which is the default. Syslog-ng is significantly better, so I don't know why it isn't the default. By default, all these log messages are going to /var/log/messages. You need to create a new filter and destination in /etc/syslog-ng.conf.in for messages from facility "authpriv", run (as root) "/sbin/SuSEconfig --module syslog-ng" (this will create the .conf file from your changed .conf.in file -- note that 10.0 and later no longer use the .conf.in file), then "rcsyslog reload" (force syslog-ng to re-read its configuration file). The following will log everything on facility authpriv to /var/log/auth.log: filter f_authpriv { facility(authpriv); }; destination authpriv { file("/var/log/auth.log"); }; log {source(src); filter(f_authpriv), destination(authpriv); }; By default, /var/log/auth.log will be created with owner:group as root:root and permissions 0600, so security should not be an issue. If you wish group root to be able to read the file also, then change the "destination" line above to read: destination authpriv { file("/var/log/auth.log" perm(0660)); }; The messages will still be logged to /var/log/messages. If you don't want them in there, you also need to change this line: filter f_messages { not facility(news, mail) and not filter(f_iptables); }; to read filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_authpriv); }; -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Darryl Gregorash schrieb:
On 2007-05-29 14:33, Andreas wrote:
Hi, sorry for not using english in the other post.
I've got an old SuSE 9.3 system that serves as a firewall/router/samba for a small office. I use ssh for maintenance. Recently I learned that on other systems there is a /var/log/auth.log that logs who is coming in. This files doesn't exist on my system and I couldn't find an entry in the 2 files in /etc/syslog-ng. Could someone give me a hint how to set this auth.log up? I have to admit that I'm not really hot with this setup stuff that goes beyond yast.
Those other systems are probably using the syslogd daemon, which is the default. Syslog-ng is significantly better, so I don't know why it isn't the default.
By default, all these log messages are going to /var/log/messages. You need to create a new filter and destination in /etc/syslog-ng.conf.in for messages from facility "authpriv", run (as root) "/sbin/SuSEconfig --module syslog-ng" (this will create the .conf file from your changed .conf.in file -- note that 10.0 and later no longer use the .conf.in file), then "rcsyslog reload" (force syslog-ng to re-read its configuration file).
The following will log everything on facility authpriv to /var/log/auth.log:
filter f_authpriv { facility(authpriv); }; destination authpriv { file("/var/log/auth.log"); }; log {source(src); filter(f_authpriv), destination(authpriv); };
By default, /var/log/auth.log will be created with owner:group as root:root and permissions 0600, so security should not be an issue. If you wish group root to be able to read the file also, then change the "destination" line above to read:
destination authpriv { file("/var/log/auth.log" perm(0660)); };
The messages will still be logged to /var/log/messages. If you don't want them in there, you also need to change this line:
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
to read
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_authpriv); };
Hello! Nice tip! To avoid unreadable long logfiles editing logrotate service to rotate your logs in fixed periods, like monthly. To proceed add this extra lines to /etc/logrotate.conf: /var/log/auth.log { monthly create 0660 root root rotate 1 } It will created a auth.log.<date> after each logrotate call with the same permissions like above. Logrotate should be done via a crond-job so afaik you need not to restart the service as crond calls the script itself. With best regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRl8qjENg1DRVIGjBAQJT6Ab/dpZeTZkz9zZWbOdDXp/0G9LxLgHMate1 SzxuxokizROYy5Fw+OnAwluBXZfRte9rm73ok+df1v9j7yDbowJqoFuHRBRk55rY dA0G3lnt0eG7pUeU3PldcF1w+0FKacKorY0h+3WnZ307gPGHwOBKpAEnKnH0cmq7 HTTkA7HvIr6zRR/wAI7LFUFlq0qetQcF1ZEH0xOJ9TYfKHd8WHTbtfHcAkoOv1qp XbTDFUh9YYSnFYJGemyfrLR+AHfBlAeEXIfVLzeWBXP9Kl7SgnjbxTyqnPz8h8tw A5pxkLjvWko= =VeBs -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 2007-05-31 14:05, Philippe Vogel wrote:
<snip>
Nice tip! To avoid unreadable long logfiles editing logrotate service to rotate your logs in fixed periods, like monthly. Thanks. I hope I got every bracket and brace correct, and everything else as well :-)
You are quite correct about rotating the file so it doesn't become too large, particularly on a very busy system.
To proceed add this extra lines to /etc/logrotate.conf:
/var/log/auth.log { monthly create 0660 root root rotate 1 }
Two observations: on a busy system it might be necessary to rotate more frequently, eg. "weekly" instead of "monthly" or even with "size <n>" (see man logrotate for all the syntax). Also, the "rotate 1" command will keep only 1 previous file. Some admins, eg. at a corporation, might want to keep the files around longer than just 2 months, so they could increase the number, ie. "rotate 12" would keep the information for the previous year (assuming a monthly rotation). It is also possible to use "maxage <days>" instead. All of that is of course probably OT for this list :-) -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (7)
-
Andreas -
Carlos E. R. -
Darryl Gregorash -
Dirk Schreiner -
Markus Gaugusch -
Paul Reeves -
Philippe Vogel