On 2007-05-29 19:29, John Andersen wrote: > > > I don't think 9.3 uses syslog-ng just the old syslog. > I am pretty sure the default syslogd configuration logs authpriv to a separate file, therefore the OP is very probably running syslog-ng on that system.
For completion on this list, here is my reply on opensuse-security: > Those other systems are probably using the syslogd daemon, which is the > default. Syslog-ng is significantly better, so I don't know why it isn't > the default. > > By default, all these log messages are going to /var/log/messages. You > need to create a new filter and destination in /etc/syslog-ng.conf.in > for messages from facility "authpriv", run (as root) "/sbin/SuSEconfig > --module syslog-ng" (this will create the .conf file from your changed > .conf.in file -- note that 10.0 and later no longer use the .conf.in > file), then "rcsyslog reload" (force syslog-ng to re-read its > configuration file). > > The following will log everything on facility authpriv to /var/log/auth.log: > > filter f_authpriv { facility(authpriv); }; > destination authpriv { file("/var/log/auth.log"); }; > log {source(src); filter(f_authpriv), destination(authpriv); }; > > By default, /var/log/auth.log will be created with owner:group as > root:root and permissions 0600, so security should not be an issue. If > you wish group root to be able to read the file also, then change the > "destination" line above to read: > > destination authpriv { file("/var/log/auth.log" perm(0660)); }; > > > The messages will still be logged to /var/log/messages. If you don't > want them in there, you also need to change this line: > > filter f_messages { not facility(news, mail) and not > filter(f_iptables); }; > > to read > > filter f_messages { not facility(news, mail) and not > filter(f_iptables) and not filter(f_authpriv); }; Phillipe Vogel replied to this with a suggestion to logrotate, so the file doesn't become too large: > To avoid unreadable long logfiles editing logrotate service > to rotate your logs in fixed periods, like monthly. > > To proceed add this extra lines to /etc/logrotate.conf: > > /var/log/auth.log { > monthly > create 0660 root root > rotate 1 > } > > It will created a auth.log.<date> after each logrotate call with the > same permissions like above. > > Logrotate should be done via a crond-job so afaik you need not to > restart the service as crond calls the script itself. I replied with some comments that on a very busy system, a more frequent rotation might be in order, eg with "weekly" or "size <bytes>" instead of "monthly". Also, where it is important (eg. for a corporation), an admin might want more than 2 months-worth of login data, eg. "rotate 12" for a whole year, or even "maxage <days>" (the latter being how syslog-ng is configured in SuSE). -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]