On 2007-05-29 19:29, John Andersen wrote:
I don't think 9.3 uses syslog-ng just the old syslog.
I am pretty sure the default syslogd configuration logs authpriv to a separate file, therefore the OP is very probably running syslog-ng on that system. For completion on this list, here is my reply on opensuse-security:
Those other systems are probably using the syslogd daemon, which is the default. Syslog-ng is significantly better, so I don't know why it isn't the default.
By default, all these log messages are going to /var/log/messages. You need to create a new filter and destination in /etc/syslog-ng.conf.in for messages from facility "authpriv", run (as root) "/sbin/SuSEconfig --module syslog-ng" (this will create the .conf file from your changed .conf.in file -- note that 10.0 and later no longer use the .conf.in file), then "rcsyslog reload" (force syslog-ng to re-read its configuration file).
The following will log everything on facility authpriv to /var/log/auth.log:
filter f_authpriv { facility(authpriv); }; destination authpriv { file("/var/log/auth.log"); }; log {source(src); filter(f_authpriv), destination(authpriv); };
By default, /var/log/auth.log will be created with owner:group as root:root and permissions 0600, so security should not be an issue. If you wish group root to be able to read the file also, then change the "destination" line above to read:
destination authpriv { file("/var/log/auth.log" perm(0660)); };
The messages will still be logged to /var/log/messages. If you don't want them in there, you also need to change this line:
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
to read
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_authpriv); }; Phillipe Vogel replied to this with a suggestion to logrotate, so the file doesn't become too large:
To avoid unreadable long logfiles editing logrotate service to rotate your logs in fixed periods, like monthly.
To proceed add this extra lines to /etc/logrotate.conf:
/var/log/auth.log { monthly create 0660 root root rotate 1 }
It will created a auth.log.<date> after each logrotate call with the same permissions like above.
Logrotate should be done via a crond-job so afaik you need not to restart the service as crond calls the script itself.
I replied with some comments that on a very busy system, a more frequent rotation might be in order, eg with "weekly" or "size <bytes>" instead of "monthly". Also, where it is important (eg. for a corporation), an admin might want more than 2 months-worth of login data, eg. "rotate 12" for a whole year, or even "maxage <days>" (the latter being how syslog-ng is configured in SuSE). -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org