A SYSCALL happens whenever a user executes a command that requests that the Linux kernel provide a service. There are several SYSCALL like mount, umount, kill, open etc. These SYSCALLs can be monitored with the auditd system. Let’s take “kill” SYSCALL as an example. The user wants to capture who has killed a certain process […]
Archives for June 2018
Slow SSH login due to unreachable rsyslog server
The problem We faced this weired issue last week, where the SSH to the servers was too slow. SSH to the Linux servers was taking long time around 30 seconds to 1 minute. SSH got stuck at the below prompt and no option to enter password for 30 seconds and password prompt was displayed but […]
/etc/rsyslog.conf – Setup a Filter to Discard or Redirect Messages
The post outlines steps to create a Property-Based Filter to Discard( suppress ) a particular message or redirect program messages to a particular log file. The syntax The systax to write a Property-Based Filter is as shown below: :[Available Properties], [compare-operations], [customized expression] [path/log file] From the man page of rsyslog.conf The Discard Action (~) […]
How to monitor the Mounting/Umounting of Mount Points Using Auditd on CentOS/RHEL 6,7
So the ask here is that how do we determine which user or system process is umounting or mounting a particular mount point. The mounting and umounting of a mount point can be monitored with the help of auditd. auditd is a userspace component to the Linux auditing system. This means that system users will […]
How to enable SFTP Logging without chroot in CentOS/RHEL
Secure File Transfer Protocol (SFTP) is a great tool for performing secure file transfers. This is a short note to explain how to enable sftp logging without chroot. 1. To enable logging of sftp-server in /var/log/messages, add command-line arguments to the Subsystem sftp line in /etc/ssh/sshd_config # vi /etc/ssh/sshd_config Subsystem sftp /usr/libexec/openssh/sftp-server -l VERBOSE Restart […]
How to Change Default Permission of /var/log/messages in CentOS/RHEL
By default, /var/log/messages* are created with read-write permissions for ‘root’ user only. There might be a requirement to make the log files world readable for eg to allow an application to read and process the data in it. Changing the permissions on such files using ‘chmod’ might be a temporary solution as they will be […]
Rsyslog : How to Send log files to remote server in CentOS/RHEL 6,7
Need of a Centralized Rsyslog Server Every *NIX system has some sort of logging facility that will produce text logs that can be written into an arbitrary location on a storage device (normally, defaulting to a local disk partition). Now, this is essential but can also produce issues like: You need to have adequate storage […]
How to send Audit Logs to Remote Rsyslog Server in CentOS/RHEL 6,7
This short note explains steps to direct audit logs to remote rsyslog server on a CentOS/RHEL 6,7 Server. Server Side Configuration Perform these steps to set up the syslog server: 1. Uncomment the following lines in the ‘MODULES‘ section of /etc/rsyslog.conf: # vi /etc/rsyslog.conf $ModLoad imtcp $InputTCPServerRun 514 If you are using UDP then uncomment […]
How to monitor /etc/shadow and /etc/passwd file for changes with Auditd?
System auditing is a very important task that should be a part of every server. It allows us to audit minute details related to what exactly is happening within the system. Most system administrators might be aware of basic auditing functionalities such as looking into /var/log/secure file for login attempts, but when it comes to […]
How to Configure rsyslog to Filter/discard Specific IP Address in CentOS/RHEL 6,7
The post explains how to configure rsyslog to filter messages with a specific IP address and drop those messages. By default, syslog doesn’t consist of any advance filtering like rsyslog. Follow below steps to configure rsyslog to filter messages with specific IP address. 1. Install rsyslog if it is not already present on the system. […]