Ad Widget

**James Wells** · 28-09-2010, 00:27

Greetings,

Originally posted by fabiomc

i want to monitore seciruty log for ubuntu server

Not sure what security log you are referring to. By default, Ubuntu does not use a security log. There is an auth.log, syslog, messages, boot.log, user.log, etc...

Once you figure out what logfile you want to monitor, you would use the log or, preferably, the logrt items to parse the log file. Going that route gives you the ability to monitor the entire file or specific event types within the log.

**fabiomc** · 28-09-2010, 08:33

sorry but where i can find the template for linux that can monitore AUTH.log

i would like to monitore auth.log

thanks
Fabio

**James Wells** · 28-09-2010, 17:27

Originally posted by fabiomc

i would like to monitore auth.log

I haven't seen a template for that, but I would suspect that you really aren't looking for one. Instead what you need is to define what you are trying to monitor from the auth.log. Just grabbing the log data is trivial by using;

Code:

logrt["/var/log/auth.log"]

I would actually recommend reading through chapter 10 of the online manual to get a feel for what logfile monitoring entails.

**fabiomc** · 30-09-2010, 09:20

i have created this item:
log[/var/log/auth.log]
because i want collect all data from auth.log from 2 linux server

but zabbix server (it's 1 linux server) doesnt collect nothing data

so i have checked the zabbix-agent.log of the 2 linux server and i have seen theese error messagge:

cannot open [/var/log/auth.log] [permission denied]
active check [log[/var/log/auth.log]] is not supported.disabled

what can i do ? thanks

**Pierreb** · 30-09-2010, 14:06

probably root that is the owner of the auth.log.
So you have to make it so zabbix user can read the log.

**fabiomc** · 30-09-2010, 14:13

theese are permission on auth.log

-rwx --x ---1 root adm

sorry but in this server there is not user "zabbix" , it's squid server linux

how can i give that the permission to user "zabbix" ?

**fabiomc** · 01-10-2010, 12:25

somebody can help me please?

**DSon** · 05-10-2010, 11:09

One way to fix it...

Fabio,

I think that Zabbix won't run under the root account, so you need to give whatever the account Zabbix_Server is running as the correct permissions.

For example, to give a user called "fabiomc" permissions to read system level logfiles (such as the one you want to monitor), you can add that user to the "adm" group. To do this, type:

sudo adduser fabiomc adm

NOTE: by doing the above, you are giving the "fabiomc" virtually the same access permissions as the root user! Having said that, unless you are prepared to create new user groups and change access permissions on files/folders, this is probably the only way you can monitor system log files.

Hope this helps,
Danny.

**fabiomc** · 05-10-2010, 17:25

sorry,

i will do it from zabbix server (sudo adduser zabbix adm)

then,in your opinion,zabbix server can read auth.log from another server linux that doesnt have user "zabbix" ?

thanks

**DSon** · 06-10-2010, 11:06

Cross server authentication

Fabio,

Good question!

I've never tried accessing a log file on a different Linux server to the one running Zabbix, however if it's the same as Windows authentication it will require a second "zabbix" user creating. If you "adduser zabbix" on the 2nd Linux server, and then use the command in my previous message to add the new user to the "adm" group, it may work.

Let me know how you get on.
Danny.

**fabiomc** · 06-10-2010, 11:46

the user zabbix is not in ACTIVE DIRECTORY but local user of zabbix server

sorry,this is first issue problem about read log from second linux server?

the second server has zabbix agent and in its log there is that error message:
"cannot open [/var/log/auth.log] [permission denied]
active check [log[/var/log/auth.log]] is not supported.disabled "

**DSon** · 06-10-2010, 17:22

Fabio,

No problem, the 2nd linux server (containing the auth.log file) needs to have:

a) a user called "zabbix" (or whatever the zabbix user is called that runs the zabbix_server process on the 1st linux server)
b) zabbix user in group "adm"

This will (hopefully) allow the Zabbix Server on the 1st linux server to read the contents of the auth.log file on the 2nd linux server.

Hope this helps,
Danny.

**richlv** · 08-10-2010, 05:52

hmm... i have a suspicious feeling that i've seen this question recently

but the question is way too non-specific. what's "security log" ? if you define that just to mark a checkbox somewhere of a completed objective, it's quite useless. instead, you should be asking "what do i want to monitor ?"

so, on linux... first come various logfiles that could contain security related information. depending on your logging configuration, that might be already mentioned auth, syslog, messages files - but it could also be more, including maillog, apache log and who knows what other services you are running.

next could be various integrity checks - has /etc/passwd, shadow or some other file changed ?

and the last one that i can think of right now is audit daemon, which would hook into 2.6 kernel and log whatever you have instructed for it to.

so in summary, don't try to monitor "security log", because that would only be for posterity purposes. figure out what exactly you want to monitor, then choose the best approach (logfiles, audit daemon etc) for that.

**fabiomc** · 08-10-2010, 08:29

Originally posted by richlv

hmm... i have a suspicious feeling that i've seen this question recently

but the question is way too non-specific. what's "security log" ? if you define that just to mark a checkbox somewhere of a completed objective, it's quite useless. instead, you should be asking "what do i want to monitor ?"

so, on linux... first come various logfiles that could contain security related information. depending on your logging configuration, that might be already mentioned auth, syslog, messages files - but it could also be more, including maillog, apache log and who knows what other services you are running.

next could be various integrity checks - has /etc/passwd, shadow or some other file changed ?

and the last one that i can think of right now is audit daemon, which would hook into 2.6 kernel and log whatever you have instructed for it to.

so in summary, don't try to monitor "security log", because that would only be for posterity purposes. figure out what exactly you want to monitor, then choose the best approach (logfiles, audit daemon etc) for that.

hi

i want to monitore auth.log of all server linux

it's possibile ?

i have try to put agent-zabbix in all server linux, then i put user "zabbix" in group "adm" but i have always error in zabbix-agent history "cannot open [/var/log/auth.log] [permission denied]
active check [log[/var/log/auth.log]] is not supported.disabled
"

what can i do?

Ad Widget

security log linux

security log linux

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment