Isolating sudo messages from syslog
Posted by Steve on Mon 12 Mar 2012 at 09:58
sudo is an essential tool in an environment where there are multiple server and system administrators. By default sudo will log to syslog, and it is very straight-forward to isolate the logging to a local file which can be useful.
Assuming you're running syslog-ng you can isolate logging using a filter. There are several filter supported by syslog-ng but the most simple is that filtering on the program name.
Predictably sudo will set its name to "sudo" which means you can append the following to /etc/syslog-ng/syslog-ng.conf to isolate the logging:
# setup destination
destination d_sudo { file("/var/log/sudo.log" ); };
# filter all messages, on the "program" field.
filter f_sudo { program("^sudo$"); };
# if the filter matches write to our new destination.
log { source(s_src); filter(f_sudo); destination(d_sudo); };
Once you've appended this you can both apply and test it by running:
skx@precious:~$ sudo /etc/init.d/syslog-ng restart
The most recent releases of Debian GNU/Linux default to using rsyslog instead of syslog-ng, and this too supports filtering upon all fields of incoming messages.
The Debian rsyslog package allows you to drop configuration files into /etc/rsyslog.d/" - providing those files end with a .conf suffix they will both be read and processed.
sudo filtering may be applied by creating the file /etc/rsyslog.d/sudo.conf with the following contents:
# match if "program name" is equal to "sudo" :programname, isequal, "sudo" -/var/log/sudo.log # if we matched this causes the input to be swallowed, preventing further logging. & ~
Again to make this take effect you must restart the syslog daemon, do that by running:
root@precious:~# /etc/init.d/rsyslog restart Stopping enhanced syslogd: rsyslogd. Starting enhanced syslogd: rsyslogd. root@precious:~#
Both loggers, rsyslog and syslog-ng, allow other filtering to be applied based upon program name, text strings in the message, and similar. There is a lot of flexibility to be gained if you're willing to take the time to configure them appropriately.
Given the modular configuration file, as supplied by default, I slightly prefer the use of rsyslog but features are roughly the same in both.
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Upon my hosts I see no such line - but you're correct to point out that syslog logging may be disabled.
"man sudoers" has the details.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Took me several attempts to spot that - I focussed on "!syslog".
Does help when people are explicit though, so thanks!
Either way I hope this post is useful for isolating output from other programs..
[ Parent | Reply to this comment ]
Perhaps you could mention, that logrotate should deal with this new logfile.
e.g.:
sed -i "/messages/a\/var\/log\/sudo.log" /etc/logr otate.d/rsyslog
[ Parent | Reply to this comment ]
Defaults:myusername !logfile,!syslog
This will prevent both logfile and syslog
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Weblogs ]
Because it's much easier to filter out all messages that has only to do with the sudo command.
It will also make it possible to stop all other in the group adm to be able to see the sudo log.
[ Parent | Reply to this comment ]
Defaults env_reset,logfile=/var/log/sudo.log,!syslog,authenticate,loglinel en=160
[ Parent | Reply to this comment ]