Use rsyslog to audit Linux Users

Use rsyslog to audit Linux Users

Rsyslog is part of the standard Linux system. It can write logs in real time and selectively Send Logs to remote log servers.

The dependency on. bash_history or script to audit the commands executed by the user is unreliable. Although both of them record user behavior, they may be tampered with by the user. Rsyslog can be used to write logs to remote log servers in real time to prevent user tampering and improve the authenticity of audit materials.

Taking Ubuntu as an example, the following method enables rsyslog to record the commands and timestamps executed by users for auditing.

1. Add logs to rsyslog

Echo "local6. */var/log/commands. log">/etc/rsyslog. d/bash. conf

2. Add in/etc/profile

Function bash2syslog

{

Declare command

Command = $ (fc-ln-0)

Logger-p local6.notice-t bash "$ (who am I)": "$ command"

}

Trap bash2syslog DEBUG

Write local logs here. The logger command can also directly write logs to the remote server. For details, see man logger.

We recommend that you set the umask value of the root user to 027 or 007 to prevent the/var/log/commands. log file from being viewed by common users.

3. Log Rotation

Edit/etc/logrotate. d/rsyslog to add a segment in the middle

/Var/log/commands. log

{

Rotate 30

Weekly

Missingok

Notifempty

Compress

Delaycompress

Sharedscripts

Postrotate

Reload rsyslog>/dev/null 2> & 1 | true

Endscript

}

4. Restart rsyslog and log out again.

Service rsyslog restart

5. rsyslog sends logs to a remote server (optional)

Echo "local6. * @ 192.168.0.2">/etc/rsyslog. conf

6. Use watchdog to monitor rsyslog. if the service is stopped, restart the machine (optional)

Apt-get install watchdog

Update-rc.d watchdog ults

 

Cat>/etc/watchdog. conf <EOF

Watchdog-device =/dev/watchdog

Admin = root

Interval = 1

Logtick = 1

Log-dir =/var/log/watchdog

Pidfile =/var/run/rsyslogd. pid

EOF

RHEL5.4 deployment of central Log server rsyslog + Log Analyzer

Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3

RHEL5.4 deployment of central log server rsyslog + loganalyzer

Log servers using rsyslog mysql and logAnalyzer

Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3

Rsyslog details: click here
Rsyslog: click here

This article permanently updates the link address: