Sunday, July 24, 2011

Syslog and Auditing Utilities

Recently during audit we identified very less system events in centralised syslog server. Investigating further found that syslog configuration was currect in all the 100 servers. But then what's wrong. we are getting only the logs of syslog daemon login not for other.  Found the basics was wrong amoung them. Although log forwarding was configure but what should be logged was not defined. Enclosed the recommended setting to log all the login events. Specially for Solaris.
Configure syslog messages by increasing the logging severity level for the login daemons
-          vi the /etc/syslog.conf file to change the daemon facility to a higher level, ie change to auth.notice to log each system login authentication
-          Manually stop & start syslogd to set changes:
-          /etc/init.d/syslogd stop
-          /etc/init.d/syslogd start
-     Also, ensure the /etc/default/login file has the entry SYSLOG=YES to log all root logins and attempts.

Configure syslog messages by increasing the logging severity level for the telnet daemons
-          vi the /etc/syslog.conf file to change the daemon facility to a higher level, ie change to daemon.notice to log each system service (ie ftp, telnet, etc.)
-          vi the file /etc/init.d/inetsvc to add trace mode (-t) for inetd, line should read:
-          /usr/sbin/inetd –s –t &
-          Manually stop & start syslogd to set changes:
-          /etc/init.d/syslogd stop
-          /etc/init.d/syslogd start
-          Must manually stop & start inetsvc
-          /etc/init.d/inetsvc stop
-          /etc/init.d/inetsvc start