RE: Toasters - How can one forward auditlog events to syslog - toasters

26 Mar 2002


      A while back, Alek asked if there was a way to forward 
auditlog events to a syslog.  Since that time, we 
(Alek and I) have come up with a solution that is 
available on the NOW website as a Knowledgebase 
solution titled "How do I forward audit log messages 
to a syslog log host?" (solution ID ntapcs5526).
For those that don't have NOW access, I am posting it
here as well.  Alek has had this in production for
a while now (about a month), and as far as I know
it is working out OK (although it required some
new filtering, as the auditlog messages are much
more verbose than the syslog messages - multiple
lines and so forth).
To set this up, you must modify the syslog.conf
file on the loghost and the /etc/syslog.conf file on 
the filer or NetCache appliance that is the source 
of the messages.  (For more information about the 
filer's syslog.conf file, see the respective 
Data ONTAP man page).
Here are detailed steps:
1) On the log host, modify syslog.conf as follows:
Add a line:
     local7.*[one_or_more_tabs][path_to_log_file]
Basically, the auditlog messages will arrive as 
   facility local7.
2) Make sure that any selectors of the form *.<level> 
   get changed to *.<level>;local7.none.  Otherwise 
   those selectors will receive all of the audit log 
   messages as well.
3) After completing your changes to syslog.conf on 
   the log host, force the syslog daemon to reload 
   its configuration file (on many systems this will 
   involve sending a HUP signal to a process called 
   syslogd). Refer to your log host's OS manuals for 
   details on how this is done for your particular OS.
4) Modify the filer's /etc/syslog.conf file as follows:
Add a line:
      cmdsaudit.auditlog[one_or_more_tabs]@[loghost_ip_or_name]
The filer will automatically detect the change 
   to syslog.conf and load it. This may take a couple 
   of minutes though.  You will know the change took
   place because a syslog message will appear that 
   looks like:
Wed Feb 20 21:58:52 GMT [syslogd:info]: syslogd: restarted
It is worth noting that audit log messages are much 
more verbose than syslog messages.  A typical syslog 
entry is a single line.  A typical audit log entry 
looks like:
date [method of access] :START:command incoming hostname
   date [method of access] :IN:command "input" command being sent to filer
   date [method of access] :OUT: output from command (may be multiple lines)
   date [method of access] :END:command
Hope you find this useful, and thanks to Alek for
helping out with this!
Jay Perry
jay.perry@netapp.com
...
-----Original Message-----
From: Alek O. Komarnitsky (N-CSC) [mailto:alek@ast.lmco.com]
Sent: Wednesday, February 20, 2002 8:08 AM
To: toasters@mathworks.com
Subject: Toasters - How can one forward auditlog events to syslog
I've searched the archives for the answer to this question 
and searched
with Google, but have not found it ... yet!    ;-)
We use syslog quite a bit to log stuff remotely, but there are
certain events (such as root rsh activity) that are logged into
auditlog that do NOT show up in syslog - we are logging *.info.
Is there a way to get those events also sent to syslog
so that we can use what is defined in /etc/syslog.conf to
forward those events to our loghosts?
Thanx,
alek