sudo日志记录记录(rsyslog)
1,查软件
rpm -qa|egrep "sudo|rsyslog"
2,编辑sudoers
echo "Defaults logfile=/var/log/sudo.log">>/etc/sudoers
tail -1 /etc/sudoers
visudo -c
3,编辑rsyslog并重启服务
[root@lnmp ~]# tail -1 /etc/rsyslog.conf
local2.debug /var/log/sudo.log
etc/init.d/rsyslog restart
4,检验
[root@lnmp ~]# tail -f /var/log/sudo.log
Jul 24 01:08:50 : lanny : TTY=pts/1 ; PWD=/home/lanny ; USER=root ;
COMMAND=/bin/su -
[lanny@lnmp ~]$ sudo echo "kaifa01 ALL=(ALL) NOPASSWD:ALL">>/etc/sudoers
-bash: /etc/sudoers: Permission denied
5,原理
sudoers------>local2.debug(设备)----->rsyslog写到文件
6,集中日志处理方案
6.1inotify+rsync
6.2rsyslog自带