[News]

News:

[bryan523]

bryan523

bryan523

Show bryan523's last posts.

Show general stats for bryan523.

• 
• Newbie
• Posts: 6

Hi all,

i am going to understand all the log in linux machine but unfortunately there is no linux log reference that i can found in the internet. Actually i need to monitor user log in and log out log but the log i get from the linux machine seem not details enough for analysis, maybe i am not so understand the format. below is the linux log i get from my linux machine:

<38>gdm(pam_unix)[2919]: session opened for user root by root(uid=0)

<37>sshd(pam_unix)[3375]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.2.111  user=root

<86>sshd[3375]: Failed password for root from ::ffff:192.168.2.111 port 1770 ssh2

<86>sshd[3375]: Accepted password for root from ::ffff:192.168.2.111 port 1770 ssh2


Question:
1)From First log, this log i get when i start this machine with user=root, this log is too simple to monitor, is it possible to configure the login config to make the log come out with "Login(rootname) success" when i login to the linux machine itself?

2) For others log is what i get when i used ssh login to this linux machine. Is it possible to make the log come out with hostname and the password? example: <86>sshd[3375]: Login(Guestname) Failed password=xxxx for root from ::ffff:192.168.2.111 port 1770 ssh2

3) Any link or document related to linux standard log format with example of logs?

regards,
Bryan

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

Unfortunately, there isn't a comprehensive respository of log data.  Each OS seems to implement the formatting slightly differently.  I don't think you're getting the messages that you want, though, as the default configuration won't send those details to syslog.  You'll want to edit /etc/pam.d to add "debug" without quotes after the pam_unix.so lines.  Take a look at this page: http://snow.nl/dist/htmlc/ch10s04.html

Actually, I did find a repository of logs.  Take a look at this: http://www.splunk.com/base/eventtype:SP-CAAAC38

[bryan523]

bryan523

bryan523

Show bryan523's last posts.

Show general stats for bryan523.

• 
• Newbie
• Posts: 6

Hi,

After i go through the article, i still have no idea on how to do it?

Everytime I login to the linux machine, i receive this log:
<38>gdm(pam_unix)[2919]: session opened for user root by root(uid=0)

but i want the log show the 'login' word which as below as example:
<38>gdm(pam_unix)[2919]: Login(guest) successfully session opened for user guest by (uid=0)

I am a newbie on linux so please help me on this. Where and How to configure?

Thanks.

regards,
Bryan

[mutex]

mutex

mutex

Show mutex's last posts.

Show general stats for mutex.

• 
• Administrator
• Newbie
• Posts: 782

Ah, I think I understand.  Have to gotten or seen logs that come through the way you want them, or are you just wanting to change the format of what you are currently getting?  If you want to change the format of what you're getting, that's not an easy thing to do.  You will likely need to modify the pam_unix.so source code and recompile.  It's not an incredibly difficult change to make, but if you're not comfortable with C and compiling, it could be difficuly.

Alternatively, if you replace syslogd on your linux hosts with syslog_ng or rsyslog, I believe you can restructure the records with some rules in the config files for those tools.