[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: central logging

On Sat, May 22, 2010 at 01:47:20PM +0200, Martin Schulte wrote:
Am 09.04.2010 10:24, schrieb Martin Schulte:
is there a way to find out, which person logged in on which machine? I'm using Linux and windows as clients. Can the clients-(auth)-Log-files be stored on tjener? The auth.log on tjener doesn't store informations about the IP-address or the hostname, only something like this
Apr 9 09:32:33 tjener smbd[4932]: pam_unix(samba:session): session opened for user ...

Regards, Martin

Now i found a way, how store store information about log-ins on tjener. I'm using syslog-ng. I wrote a little Howto in the wiki, you can find it here:

english: http://wiki.debian.org/DebianEdu/HowTo/syslog-ng
german: http://wiki.skolelinux.de/syslog-ng

As Petter says, rsyslog is the new default of Debian. Before rsyslogd emerged I would favor syslog-ng too, but no more. It supports filters too: http://www.rsyslog.com/doc-rsyslog_conf_filter.html

More flexible approach (and also with more levels of security, making it more complex to setup) is to use Prelude. The log analyzer part (prelude-lml) by default tracks "remote logins" which may or may not catch the logins of Skolelinux users. But it can be tweaked very heavily - and extended to also centrally collect and analyze e.g. kernel warnings (audispd-plugins), filesystem integrity (samhain), firewall activities (nuauth) and network anomalies (snort, suricata), and present the result in a web interface (prewikka) or report through mail, sms or in X11 Desktop status area of admin accounts (prelude-notify).

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: Digital signature

Reply to: