On 2007-05-29 19:29, John Andersen wrote:
>
>
> I don't think 9.3 uses syslog-ng just the old syslog.
>
I am pretty sure the default syslogd configuration logs authpriv to a separate
file, therefore the OP is very probably running syslog-ng on that system.
For completion on this list, here is my reply on opensuse-security:
> Those other systems are probably using the syslogd daemon, which is the
> default. Syslog-ng is significantly better, so I don't know why it isn't
> the default.
>
> By default, all these log messages are going to /var/log/messages. You
> need to create a new filter and destination in /etc/syslog-ng.conf.in
> for messages from facility "authpriv", run (as root) "/sbin/SuSEconfig
> --module syslog-ng" (this will create the .conf file from your changed
> .conf.in file -- note that 10.0 and later no longer use the .conf.in
> file), then "rcsyslog reload" (force syslog-ng to re-read its
> configuration file).
>
> The following will log everything on facility authpriv to /var/log/auth.log:
>
> filter f_authpriv { facility(authpriv); };
> destination authpriv { file("/var/log/auth.log"); };
> log {source(src); filter(f_authpriv), destination(authpriv); };
>
> By default, /var/log/auth.log will be created with owner:group as
> root:root and permissions 0600, so security should not be an issue. If
> you wish group root to be able to read the file also, then change the
> "destination" line above to read:
>
> destination authpriv { file("/var/log/auth.log" perm(0660)); };
>
>
> The messages will still be logged to /var/log/messages. If you don't
> want them in there, you also need to change this line:
>
> filter f_messages { not facility(news, mail) and not
> filter(f_iptables); };
>
> to read
>
> filter f_messages { not facility(news, mail) and not
> filter(f_iptables) and not filter(f_authpriv); };
Phillipe Vogel replied to this with a suggestion to logrotate, so the
file doesn't become too large:
> To avoid unreadable long logfiles editing logrotate service
> to rotate your logs in fixed periods, like monthly.
>
> To proceed add this extra lines to /etc/logrotate.conf:
>
> /var/log/auth.log {
> monthly
> create 0660 root root
> rotate 1
> }
>
> It will created a auth.log.<date> after each logrotate call with the
> same permissions like above.
>
> Logrotate should be done via a crond-job so afaik you need not to
> restart the service as crond calls the script itself.
I replied with some comments that on a very busy system, a more frequent
rotation might be in order, eg with "weekly" or "size <bytes>" instead
of "monthly". Also, where it is important (eg. for a corporation), an
admin might want more than 2 months-worth of login data, eg. "rotate 12"
for a whole year, or even "maxage <days>" (the latter being how
syslog-ng is configured in SuSE).
--
Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
