Maybe copy the rule you modified to local_rules and use overwrite=yes so
you're not actually modifying the syslog_rules file? But remember to keep
the match for root user in there and just extend the list to whatever
user(s) you want.
I'm not sure what changes you made to get it to work, but possibly something
along the lines of this(?):
rule id=5402 level=3 overwrite=yes
if_sid5400/if_sid
match ; USER=root ; COMMAND=| ; USER=wheel ; COMMAND=/match
descriptionSuccessful sudo to other user executed/description
/rule
On Tue, Oct 25, 2011 at 8:08 AM, Kat uncommon...@gmail.com wrote:
Simple(?) question...
Looking for the best way to log all sudo su - someuser.
Obviously, it already flags sudo root, but I am looking to track all
the users who are authorized to sudo to other accounts and when they
do it. I could modify the syslog_rules - which worked, but since that
is a bad thing to do, I was wondering if someone has the best
local_rule format to do this without making changes to syslog_rules.
thanks
~K
