Article title: use syslog for remote logon in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Managing logon files is an important part of network management. Each Linux system has a standard Syslog function, which can log on to local files and remote systems. If you want to view the logon file on a compromised machine, especially when you are not sure whether the attacker has cleared the logon file and destroyed the logon trace, its role is particularly critical.
It is easy to install syslog for remote login. You only need to use the-r option on the system where you want to receive the logon record and configure syslog so that you can receive the remote logon record.
For example, on the Mandrake Linux system, edit the/etc/sysconfig/syslog file and change the parameters of SYSLOGD_OPTIONS as listed below.
SYSLOGD_OPTIONS = "-r-m 0"
Next, restart the syslog service. You should also ensure that the firewall on the machine allows access to UDP port 514 from other machines that send logon records.
Modify the/etc/syslog. conf file on the system where you want to send the logon record and add the following content to the end;
*. Info @ loghost.mydomain.com
This indicates that syslog sends all *. info logon records to the homepage of loghost.mydomain.com. You can change the facilities you want to remotely log on to, but *. info is usually adequate. On this machine, syslog is also restarted to ensure that the firewall allows UDP port 514 from the local host to be sent to a remote machine.
The logon record on a host should appear on the remote host at the moment and include the login information of the host. For example, your login file is as follows:
Jan 8 13:23:22 loghost fam [3627]: connect: Connection refused
Jan 8 13:23:24 remote.mydomain.com su (pam_unix) [3166]: session closed for user root
As you can see from the/var/log/messages segment, syslog logon information is the same as that of loghost (local machine) and remote mydomain.com (remote host. In this case, install the logon supervisor to log on to the host to remind you of any specific content you want to monitor (such as a failed logon ).
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.