Isolating sudo messages from syslog

Posted by Steve on Mon 12 Mar 2012 at 09:58

sudo is an essential tool in an environment where there are multiple server and system administrators. By default sudo will log to syslog, and it is very straight-forward to isolate the logging to a local file which can be useful.

Assuming you're running syslog-ng you can isolate logging using a filter. There are several filter supported by syslog-ng but the most simple is that filtering on the program name.

Predictably sudo will set its name to "sudo" which means you can append the following to /etc/syslog-ng/syslog-ng.conf to isolate the logging:

# setup destination
destination d_sudo { file("/var/log/sudo.log" ); };

# filter all messages, on the "program" field.
filter f_sudo { program("^sudo$"); };

# if the filter matches write to our new destination.
log { source(s_src); filter(f_sudo); destination(d_sudo); };

Once you've appended this you can both apply and test it by running:

skx@precious:~$ sudo /etc/init.d/syslog-ng restart

The most recent releases of Debian GNU/Linux default to using rsyslog instead of syslog-ng, and this too supports filtering upon all fields of incoming messages.

The Debian rsyslog package allows you to drop configuration files into /etc/rsyslog.d/" - providing those files end with a .conf suffix they will both be read and processed.

sudo filtering may be applied by creating the file /etc/rsyslog.d/sudo.conf with the following contents:

# match if "program name" is equal to "sudo"
:programname, isequal, "sudo" -/var/log/sudo.log

# if we matched this causes the input to be swallowed, preventing further logging.
& ~

Again to make this take effect you must restart the syslog daemon, do that by running:

root@precious:~# /etc/init.d/rsyslog restart
Stopping enhanced syslogd: rsyslogd.
Starting enhanced syslogd: rsyslogd.
root@precious:~#

Both loggers, rsyslog and syslog-ng, allow other filtering to be applied based upon program name, text strings in the message, and similar. There is a lot of flexibility to be gained if you're willing to take the time to configure them appropriately.

Given the modular configuration file, as supplied by default, I slightly prefer the use of rsyslog but features are roughly the same in both.

 

 


Posted by Anonymous (212.90.xx.xx) on Mon 12 Mar 2012 at 14:16
$ sudo tail -1 /etc/sudoers
Defaults env_reset,logfile=/var/log/sudo.log,!syslog,authenticate,loglinel en=160

[ Parent | Reply to this comment ]

Posted by Steve (90.196.xx.xx) on Mon 12 Mar 2012 at 14:20
[ View Steve's Scratchpad | View Weblogs ]

Upon my hosts I see no such line - but you're correct to point out that syslog logging may be disabled.

"man sudoers" has the details.

Steve

[ Parent | Reply to this comment ]

Posted by mcortese (85.158.xx.xx) on Tue 13 Mar 2012 at 10:33
[ View Weblogs ]
I think the point of the anonymous commenter was to teach another way to achieve the same goal (all messages from sudo in a file, separated from other syslog messages).

[ Parent | Reply to this comment ]

Posted by Steve (90.220.xx.xx) on Tue 13 Mar 2012 at 10:35
[ View Steve's Scratchpad | View Weblogs ]

Took me several attempts to spot that - I focussed on "!syslog".

Does help when people are explicit though, so thanks!

Either way I hope this post is useful for isolating output from other programs..

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (80.69.xx.xx) on Wed 21 Mar 2012 at 07:13
For me your post is really helpfull!

Perhaps you could mention, that logrotate should deal with this new logfile.
e.g.:
sed -i "/messages/a\/var\/log\/sudo.log" /etc/logr otate.d/rsyslog

[ Parent | Reply to this comment ]

Posted by Anonymous (65.51.xx.xx) on Wed 2 May 2012 at 16:59
I'm using the following directive (in /etc/sudoers) to prevent logging for sudo commands for specific user:

Defaults:myusername !logfile,!syslog

This will prevent both logfile and syslog

[ Parent | Reply to this comment ]

Posted by Anonymous (118.209.xx.xx) on Thu 22 Mar 2012 at 13:13
Another thing to watch is that after sudoing into any shell, or an interpreter like python, syslog is not going to log much of what is going on.

[ Parent | Reply to this comment ]

Posted by Steve (90.220.xx.xx) on Tue 26 Jun 2012 at 10:32
[ View Steve's Scratchpad | View Weblogs ]

For that purpose we use snoopy...

Steve

[ Parent | Reply to this comment ]

Posted by Anonymous (145.253.xx.xx) on Tue 26 Jun 2012 at 10:31
Well I understand that isolating message from su (or any other program logging to syslog) is possible. But why do you want to isolate it? Why don't you keep it in a single file which gives than a single logfile for all activities on the system?

[ Parent | Reply to this comment ]

Posted by AJxn (2001:0xx:0xx:0xxx:0xxx:0xxx:xx) on Fri 27 Jul 2012 at 03:35
[ View Weblogs ]

Because it's much easier to filter out all messages that has only to do with the sudo command.
It will also make it possible to stop all other in the group adm to be able to see the sudo log.

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 157 votes ~ 0 comments )