Subscribe
Accepted Solution

Syslog not sending Logon Alerts

Hello,

I am required for compliance to track all user account activity. Therefore I need to track logon/logoff and login failures.

I have syslog configured on my filer but it only sends login failure messages out through syslog. Here is my syslog config.

Any help would be appreciated.

Thanks,

# $Id: //depot/prod/DOT/R8.0.3x/ontap/files/syslog.conf.sample#1 $

# Copyright (c) 1994-1996 Network Appliance.

# All rights reserved.

# Sample syslog.conf file.  Copy to /etc/syslog.conf to use.

# You must use TABS for separators between fields.

# Log messages of priority info or higher to the console and to /etc/messages

*.info                                  /dev/console

*.info                                  /etc/messages

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to a remote host, e.g. adminhost

# *.err;kern.*                          @adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to the local7 facility of the

# syslogd on a remote host, e.g. adminhost.

# *.err;kern.*                          local7.*@adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to a remote host, e.g. adminhost,

# at priority debug.

# *.err;kern.*                          *.debug@adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to the local5 facility of the

# syslogd on a remote host, e.g. adminhost, at priority info.

# *.err;kern.*                          local5.info@adminhost

#Remote logging to LEM

#*.info local7.*@XXX.XXX.XXX.XXX

#AUTH

#*.* @XXX.XXX.XX.XX

#authpriv.* local7.*@XXX.XXX.XX.XX

#kern.info local7.*@XXX.XXX.XX.XX

*.info @XXX.XXX.XX.XX

auth.debug @XXX.XXX.XX.XX

authpriv.debug @XXX.XXX.XX.XX

kern.info @XXX.XXX.XX.XX

Re: Syslog not sending Logon Alerts

I believe you need to have options auditlog.enable on

This will log all login attempts/commands/failures in /etc/log/auditlog.

Then I believe adding local7.* @1.2.3.4in your syslog config will get it logging to your aggregator

Syslog not sending Logon Alerts

That logs it into the auditlog but it does not send it out through syslog.

Re: Syslog not sending Logon Alerts

adding the local7 option in your syslog.conf SHOULD forward the auditlog to the syslog server.

Re: Syslog not sending Logon Alerts

This is the current configuration...and It is not sending....

*.info  local7.*@XXX.XXX.XX.XX

auth.debug local7.*@XXX.XXX.XX.XX

authpriv.debug local7.*@XXX.XXX.XX.XX

kern.info local7.*@XXX.XXX.XX.XX

Re: Syslog not sending Logon Alerts

Try, on the filer:

local7.debug @w.x.y.z

Then you should see it at the remote syslog server.

Re: Syslog not sending Logon Alerts

Thank you that worked.