Wise people learn when they can; fools learn when they must - Arthur Wellesley

Monday, 16 January 2017

LINUX-19 SYSTEM LOGGING (RHEL-7) [PART-2]


LINUX-19 SYSTEM LOGGING (RHEL-7)
                           (PART-2)

RHEL7 SYSTEM LOGGING-P1
RHEL7 SYSTEM LOGGING-P2
RHEL7 SYSTEM LOGGING-P3
RHEL7 SYSTEM LOGGING-P4
RHEL7 SYSTEM LOGGING-P5
RHEL7 SYSTEM LOGGING-P6


·         Enable/Create custom log

Enable/Create custom log………..

**log all Bash commands by all users on a server**

[root@rhel7-server ~]# cp /etc/bashrc /etc/bashrc.org

[root@rhel7-server ~]# vim /etc/bashrc
Add following line at end çç
export PROMPT_COMMAND='RETRN_VAL=$?;logger -p local6.debug "$(whoami) [$$]: $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//" ) [$RETRN_VAL]"'


[root@rhel7-server ~]# . /etc/bashrc

Create a file for command logging, using Facility “local6”

[root@rhel7-server ~]# vim /etc/rsyslog.d/bash.conf
Add following line çç
local6.*    /var/log/commands.log

[root@rhel7-server ~]# systemctl restart rsyslog

[root@rhel7-server ~]# su - raman
Last login: Sun Jan 15 10:23:19 IST 2017 from 192.168.234.1 on pts/1
[raman@rhel7-server ~]$ ls -ltr
total 16
-rw-------. 1 raman raman   0 Jan  2 11:28 testfile1
drwx------. 2 raman raman   6 Jan  2 11:28 testdir1
-rw-rw-r--. 1 raman raman   0 Jan  2 11:34 testfile2
-rw-rw-r--. 1 raman raman   0 Jan  2 11:50 test1
-rw-------. 1 raman raman   0 Jan  2 11:50 test2

[raman@rhel7-server ~]$ hostname
rhel7-server

[raman@rhel7-server ~]$ fdisk

[raman@rhel7-server ~]$ exit

Check the logging is working or not….??

[root@rhel7-server ~]# cat /var/log/commands.log
Jan 15 10:35:05 rhel7-server root: root [14283]: systemctl restart rsyslog [0]
Jan 15 10:35:22 rhel7-server root: raman [17079]: exit [0]
Jan 15 10:35:25 rhel7-server root: raman [17079]: ls -ltr [0]
Jan 15 10:35:29 rhel7-server root: raman [17079]: hostname [0]
Jan 15 10:35:32 rhel7-server root: raman [17079]: fdisk [1]
Jan 15 10:35:34 rhel7-server root: root [14283]: su - raman [1]
Jan 15 10:36:09 rhel7-server root: root [14283]: su - raman [1]
Jan 15 10:36:09 rhel7-server root: root [14283]: su - raman [1]

Courtesy:
http://askubuntu.com/questions/93566/how-to-log-all-bash-commands-by-all-users-on-a-server

**log SFTP activity by all users on a server**

Create a file for sftp logging, using Facility “local3”

[root@rhel7-server ~]# vim /etc/rsyslog.d/sftp.conf
Add following line çç
local3.*        /var/log/sftp.log

“sftp” directive is stated in “sshd_config” file,

[root@rhel7-server ~]# vi /etc/ssh/sshd_config
# override default of no subsystems
Add following line çç
Subsystem       sftp    /usr/libexec/openssh/sftp-server -l debug -f LOCAL3

Here I selected the “priority” to “debug” level and redirected to a file.

[root@rhel7-server ~]# systemctl restart sshd
[root@rhel7-server ~]# systemctl restart rsyslog
[root@rhel7-server ~]# sftp 0
root@0's password:
Connected to 0.
sftp> ls
initial-setup-ks.cfg
sde.diskfile
sftp> bye

[root@rhel7-server ~]# su - user6
Last login: Sat Jan 14 11:14:32 IST 2017 from 192.168.234.1 on pts/3
[user6@rhel7-server ~]$ /usr/bin/sftp 0
The authenticity of host '0 (0.0.0.0)' can't be established.
ECDSA key fingerprint is 49:7c:3f:18:c4:17:84:43:60:53:e2:92:61:82:7f:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '0,0.0.0.0' (ECDSA) to the list of known hosts.
user6@0's password:
Connected to 0.
sftp> ls
sftp> bye

[user6@rhel7-server ~]$ exit

[root@rhel7-server ~]# cat /var/log/sftp.log
Jan 15 10:56:29 rhel7-server sftp-server[18135]: session opened for local user root from [127.0.0.1]
Jan 15 10:56:29 rhel7-server sftp-server[18135]: received client version 3
Jan 15 10:56:29 rhel7-server sftp-server[18135]: realpath "."
Jan 15 10:56:29 rhel7-server sftp-server[18135]: debug1: request 32637: sent names count 1
Jan 15 10:56:31 rhel7-server sftp-server[18135]: opendir "/root"
Jan 15 10:56:31 rhel7-server sftp-server[18135]: debug1: request 32638: sent handle handle 0
Jan 15 10:56:31 rhel7-server sftp-server[18135]: debug1: request 32639: readdir "/root" (handle 0)
Jan 15 10:56:31 rhel7-server sftp-server[18135]: debug1: request 32639: sent names count 29
Jan 15 10:56:31 rhel7-server sftp-server[18135]: debug1: request 32640: readdir "/root" (handle 0)
Jan 15 10:56:31 rhel7-server sftp-server[18135]: sent status End of file
Jan 15 10:56:31 rhel7-server sftp-server[18135]: closedir "/root"
Jan 15 10:56:31 rhel7-server sftp-server[18135]: sent status Success
Jan 15 10:56:34 rhel7-server sftp-server[18135]: debug1: read eof
Jan 15 10:56:34 rhel7-server sftp-server[18135]: session closed for local user root from [127.0.0.1]
Jan 15 10:57:43 rhel7-server sftp-server[18267]: session opened for local user user6 from [127.0.0.1]
Jan 15 10:57:43 rhel7-server sftp-server[18267]: received client version 3
Jan 15 10:57:43 rhel7-server sftp-server[18267]: realpath "."
Jan 15 10:57:43 rhel7-server sftp-server[18267]: debug1: request 32757: sent names count 1
Jan 15 10:57:48 rhel7-server sftp-server[18267]: opendir "/home/user6"
Jan 15 10:57:48 rhel7-server sftp-server[18267]: debug1: request 32758: sent handle handle 0
Jan 15 10:57:48 rhel7-server sftp-server[18267]: debug1: request 32759: readdir "/home/user6" (handle 0)
Jan 15 10:57:48 rhel7-server sftp-server[18267]: debug1: request 32759: sent names count 10
Jan 15 10:57:48 rhel7-server sftp-server[18267]: debug1: request 32760: readdir "/home/user6" (handle 0)
Jan 15 10:57:48 rhel7-server sftp-server[18267]: sent status End of file
Jan 15 10:57:48 rhel7-server sftp-server[18267]: closedir "/home/user6"
Jan 15 10:57:48 rhel7-server sftp-server[18267]: sent status Success
Jan 15 10:57:52 rhel7-server sftp-server[18267]: debug1: read eof
Jan 15 10:57:52 rhel7-server sftp-server[18267]: session closed for local user user6 from [127.0.0.1]

See the level of messages.

Let’s change the severity and see the difference.

[root@rhel7-server ~]# vi /etc/ssh/sshd_config
# override default of no subsystems
Add following line çç
Subsystem       sftp    /usr/libexec/openssh/sftp-server -l info -f LOCAL3

[root@rhel7-server ~]# systemctl restart sshd
[root@rhel7-server ~]# systemctl restart rsyslog
[root@rhel7-server ~]# sftp 0
root@0's password:
Connected to 0.
sftp> bye

[root@rhel7-server ~]# cat /var/log/sftp.log
Jan 15 11:01:24 rhel7-server sftp-server[18581]: session opened for local user root from [127.0.0.1]
Jan 15 11:01:27 rhel7-server sftp-server[18581]: session closed for local user root from [127.0.0.1]

I did nothing while sftp session, just log in and log out.

[root@rhel7-server ~]# sftp 0
root@0's password:
Connected to 0.
sftp> ls
sftp> q
Invalid command.
sftp> help
Display this help text
sftp> put
You must specify at least one path after a put command.
sftp> bye

[root@rhel7-server ~]# cat /var/log/sftp.log
Jan 15 11:01:53 rhel7-server sftp-server[18642]: session opened for local user root from [127.0.0.1]
Jan 15 11:01:55 rhel7-server sftp-server[18642]: opendir "/root"
Jan 15 11:01:55 rhel7-server sftp-server[18642]: closedir "/root"
Jan 15 11:02:09 rhel7-server sftp-server[18642]: session closed for local user root from [127.0.0.1]

Here I did some movement which is also recorded.

**log all ssh logins by all users on a server**

Create a file for ssh logging, using Facility “local2”

[root@rhel7-server ~]# vim /etc/rsyslog.d/sshd.conf
Add following line çç
local2.*        /var/log/ssh.log

[root@rhel7-server ~]# vim /etc/ssh/sshd_config

Change following entry

# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH

To…

# obsoletes QuietMode and FascistLogging
SyslogFacility LOCAL2

[root@rhel7-server ~]# systemctl restart sshd;systemctl restart rsyslog

[root@rhel7-server ~]# cat /var/log/ssh.log
Jan 15 11:19:36 rhel7-server sshd[19498]: Server listening on 0.0.0.0 port 22.
Jan 15 11:19:36 rhel7-server sshd[19498]: Server listening on :: port 22.
Jan 15 11:20:22 rhel7-server sshd[19579]: Accepted password for root from 127.0.0.1 port 39228 ssh2
Jan 15 11:20:27 rhel7-server sshd[19579]: Received disconnect from 127.0.0.1: 11: disconnected by user
Jan 15 11:20:40 rhel7-server sshd[19646]: Accepted password for raman from 192.168.234.1 port 4434 ssh2
Jan 15 11:20:50 rhel7-server sshd[19703]: Accepted password for raman from 127.0.0.1 port 39229 ssh2
Jan 15 11:20:56 rhel7-server sshd[19712]: Received disconnect from 127.0.0.1: 11: disconnected by user

          


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)