Posted by Steve on Mon 12 Mar 2012 at 09:58
sudo is an essential tool in an environment where there are multiple server and system administrators. By default sudo will log to syslog, and it is very straight-forward to isolate the logging to a local file which can be useful.
Assuming you're running syslog-ng you can isolate logging using a filter. There are several filter supported by syslog-ng but the most simple is that filtering on the program name.
Predictably sudo will set its name to "sudo" which means you can append the following to /etc/syslog-ng/syslog-ng.conf to isolate the logging:
# setup destination
destination d_sudo { file("/var/log/sudo.log" ); };
# filter all messages, on the "program" field.
filter f_sudo { program("^sudo$"); };
# if the filter matches write to our new destination.
log { source(s_src); filter(f_sudo); destination(d_sudo); };
Once you've appended this you can both apply and test it by running:
skx@precious:~$ sudo /etc/init.d/syslog-ng restart
The most recent releases of Debian GNU/Linux default to using rsyslog instead of syslog-ng, and this too supports filtering upon all fields of incoming messages.
The Debian rsyslog package allows you to drop configuration files into /etc/rsyslog.d/" - providing those files end with a .conf suffix they will both be read and processed.
sudo filtering may be applied by creating the file /etc/rsyslog.d/sudo.conf with the following contents:
# match if "program name" is equal to "sudo" :programname, isequal, "sudo" -/var/log/sudo.log # if we matched this causes the input to be swallowed, preventing further logging. & ~
Again to make this take effect you must restart the syslog daemon, do that by running:
root@precious:~# /etc/init.d/rsyslog restart Stopping enhanced syslogd: rsyslogd. Starting enhanced syslogd: rsyslogd. root@precious:~#
Both loggers, rsyslog and syslog-ng, allow other filtering to be applied based upon program name, text strings in the message, and similar. There is a lot of flexibility to be gained if you're willing to take the time to configure them appropriately.
Given the modular configuration file, as supplied by default, I slightly prefer the use of rsyslog but features are roughly the same in both.
This article can be found online at the Debian Administration website at the following bookmarkable URL (along with associated comments):
This article is copyright 2012 Steve - please ask for permission to republish or translate.