ONTAP Discussions

Syslog not sending Logon Alerts

PKROETSCH
6,329 Views

Hello,

I am required for compliance to track all user account activity. Therefore I need to track logon/logoff and login failures.

I have syslog configured on my filer but it only sends login failure messages out through syslog. Here is my syslog config.

Any help would be appreciated.

Thanks,

# $Id: //depot/prod/DOT/R8.0.3x/ontap/files/syslog.conf.sample#1 $

# Copyright (c) 1994-1996 Network Appliance.

# All rights reserved.

# Sample syslog.conf file.  Copy to /etc/syslog.conf to use.

# You must use TABS for separators between fields.

# Log messages of priority info or higher to the console and to /etc/messages

*.info                                  /dev/console

*.info                                  /etc/messages

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to a remote host, e.g. adminhost

# *.err;kern.*                          @adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to the local7 facility of the

# syslogd on a remote host, e.g. adminhost.

# *.err;kern.*                          local7.*@adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to a remote host, e.g. adminhost,

# at priority debug.

# *.err;kern.*                          *.debug@adminhost

# Edit and uncomment following line to log all messages of priority

# err or higher and all kernel messages to the local5 facility of the

# syslogd on a remote host, e.g. adminhost, at priority info.

# *.err;kern.*                          local5.info@adminhost

#Remote logging to LEM

#*.info local7.*@XXX.XXX.XXX.XXX

#AUTH

#*.* @XXX.XXX.XX.XX

#authpriv.* local7.*@XXX.XXX.XX.XX

#kern.info local7.*@XXX.XXX.XX.XX

*.info @XXX.XXX.XX.XX

auth.debug @XXX.XXX.XX.XX

authpriv.debug @XXX.XXX.XX.XX

kern.info @XXX.XXX.XX.XX

1 ACCEPTED SOLUTION

JIM_SURLOW
6,329 Views

Try, on the filer:

local7.debug @w.x.y.z

Then you should see it at the remote syslog server.

View solution in original post

6 REPLIES 6

DAVE_WITHERS
6,329 Views

I believe you need to have options auditlog.enable on

This will log all login attempts/commands/failures in /etc/log/auditlog.

Then I believe adding local7.* @1.2.3.4in your syslog config will get it logging to your aggregator

PKROETSCH
6,329 Views

That logs it into the auditlog but it does not send it out through syslog.

DAVE_WITHERS
6,329 Views

adding the local7 option in your syslog.conf SHOULD forward the auditlog to the syslog server.

PKROETSCH
6,329 Views

This is the current configuration...and It is not sending....

*.info  local7.*@XXX.XXX.XX.XX

auth.debug local7.*@XXX.XXX.XX.XX

authpriv.debug local7.*@XXX.XXX.XX.XX

kern.info local7.*@XXX.XXX.XX.XX

JIM_SURLOW
6,330 Views

Try, on the filer:

local7.debug @w.x.y.z

Then you should see it at the remote syslog server.

PKROETSCH
6,329 Views

Thank you that worked.

Public