[prev in list] [next in list] [prev in thread] [next in thread]
List: toasters
Subject: RE: Toasters - How can one forward auditlog events to syslog
From: "Perry, Jay" <Jay.Perry () netapp ! com>
Date: 2002-03-26 19:29:12
[Download RAW message or body]
A while back, Alek asked if there was a way to forward
auditlog events to a syslog. Since that time, we
(Alek and I) have come up with a solution that is
available on the NOW website as a Knowledgebase
solution titled "How do I forward audit log messages
to a syslog log host?" (solution ID ntapcs5526).
For those that don't have NOW access, I am posting it
here as well. Alek has had this in production for
a while now (about a month), and as far as I know
it is working out OK (although it required some
new filtering, as the auditlog messages are much
more verbose than the syslog messages - multiple
lines and so forth).
To set this up, you must modify the syslog.conf
file on the loghost and the /etc/syslog.conf file on
the filer or NetCache appliance that is the source
of the messages. (For more information about the
filer's syslog.conf file, see the respective
Data ONTAP man page).
Here are detailed steps:
1) On the log host, modify syslog.conf as follows:
Add a line:
local7.*[one_or_more_tabs][path_to_log_file]
Basically, the auditlog messages will arrive as
facility local7.
2) Make sure that any selectors of the form *.<level>
get changed to *.<level>;local7.none. Otherwise
those selectors will receive all of the audit log
messages as well.
3) After completing your changes to syslog.conf on
the log host, force the syslog daemon to reload
its configuration file (on many systems this will
involve sending a HUP signal to a process called
syslogd). Refer to your log host's OS manuals for
details on how this is done for your particular OS.
4) Modify the filer's /etc/syslog.conf file as follows:
Add a line:
cmdsaudit.auditlog[one_or_more_tabs]@[loghost_ip_or_name]
The filer will automatically detect the change
to syslog.conf and load it. This may take a couple
of minutes though. You will know the change took
place because a syslog message will appear that
looks like:
Wed Feb 20 21:58:52 GMT [syslogd:info]: syslogd: restarted
It is worth noting that audit log messages are much
more verbose than syslog messages. A typical syslog
entry is a single line. A typical audit log entry
looks like:
date [method of access] :START:command incoming hostname
date [method of access] :IN:command "input" command being sent to filer
date [method of access] :OUT: output from command (may be multiple lines)
date [method of access] :END:command
Hope you find this useful, and thanks to Alek for
helping out with this!
Jay Perry
jay.perry@netapp.com
> -----Original Message-----
> From: Alek O. Komarnitsky (N-CSC) [mailto:alek@ast.lmco.com]
> Sent: Wednesday, February 20, 2002 8:08 AM
> To: toasters@mathworks.com
> Subject: Toasters - How can one forward auditlog events to syslog
>
>
> I've searched the archives for the answer to this question
> and searched
> with Google, but have not found it ... yet! ;-)
>
> We use syslog quite a bit to log stuff remotely, but there are
> certain events (such as root rsh activity) that are logged into
> auditlog that do NOT show up in syslog - we are logging *.info.
>
> Is there a way to get those events also sent to syslog
> so that we can use what is defined in /etc/syslog.conf to
> forward those events to our loghosts?
>
> Thanx,
> alek
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic