Use rsyslog to audit Linux Users
Rsyslog is part of the standard Linux system. It can write logs in real time and selectively Send Logs to remote log servers.
The dependency on. bash_history or script to audit the commands executed by the user is unreliable. Although both of them record user behavior, they may be tampered with by the user. Rsyslog can be used to write logs to remote log servers in real time to prevent user tampering and improve the authenticity of audit materials.
Taking Ubuntu as an example, the following method enables rsyslog to record the commands and timestamps executed by users for auditing.
1. Add logs to rsyslog
Echo "local6. */var/log/commands. log">/etc/rsyslog. d/bash. conf
2. Add in/etc/profile
Function bash2syslog
{
Declare command
Command = $ (fc-ln-0)
Logger-p local6.notice-t bash "$ (who am I)": "$ command"
}
Trap bash2syslog DEBUG
Write local logs here. The logger command can also directly write logs to the remote server. For details, see man logger.
We recommend that you set the umask value of the root user to 027 or 007 to prevent the/var/log/commands. log file from being viewed by common users.
3. Log Rotation
Edit/etc/logrotate. d/rsyslog to add a segment in the middle
/Var/log/commands. log
{
Rotate 30
Weekly
Missingok
Notifempty
Compress
Delaycompress
Sharedscripts
Postrotate
Reload rsyslog>/dev/null 2> & 1 | true
Endscript
}
4. Restart rsyslog and log out again.
Service rsyslog restart
5. rsyslog sends logs to a remote server (optional)
Echo "local6. * @ 192.168.0.2">/etc/rsyslog. conf
6. Use watchdog to monitor rsyslog. if the service is stopped, restart the machine (optional)
Apt-get install watchdog
Update-rc.d watchdog ults
Cat>/etc/watchdog. conf <EOF
Watchdog-device =/dev/watchdog
Admin = root
Interval = 1
Logtick = 1
Log-dir =/var/log/watchdog
Pidfile =/var/run/rsyslogd. pid
EOF
RHEL5.4 deployment of central Log server rsyslog + Log Analyzer
Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3
RHEL5.4 deployment of central log server rsyslog + loganalyzer
Log servers using rsyslog mysql and logAnalyzer
Deploy a log server using Rsyslog + LogAnalyzer + MySQL in CentOS 6.3
Rsyslog details: click here
Rsyslog: click here
This article permanently updates the link address: