/var/log/messages ANALYSIS

[eferre]

---

Ok, I found the solution, my error was exactly in the definition of category, the following /etc/named.conf allow me to log my queries in the terminal, in the /var/log/named.log and /var/log/messages (through rsyslogd) at the same time.

Code:

logging {
        channel default_syslog {
	    syslog daemon;                     
	    severity info;
	};

	channel bindlog {
		file "/var/log/named.log" versions 3 size 20m;
		print-time yes;
		print-category yes;
		print-severity yes;
	};

	channel debug {
		stderr;
		print-time yes;
		print-category yes;
		print-severity yes;
	};
	category queries { debug; bindlog; default_syslog;};
};

Thank you Irithori! I was lost without your help!

[Irithori]

Glad you figured it out.
I was a bit busy myself, so I couldnt post.

have fun

[eferre]

I'd like to know if there is a way to log the calling of a command/application through rsyslogd (therefore within 'messages'), as we did before with DNS queries with bind.

For example if I write in the shell:

$ ping 192.168.100.198

or

$ ls -l

I'd like to see in messages a log as
"user eferre: calling ping 192.168.100.198"
or something similar....

For my goals it's the same if this log can be generated by rsyslogd directly or by another application, passing the log to rsyslogd (like bind)

[Irithori]

There is the history command.

And I think I saw a "logging shell" on freshmeat once.
Will search as time allows.
Question here would be: what would stop the user to change to another, non logging shell

[eferre]

I'd like to be dependent on the shell the least possible. It means that it's better if I succeed in logging the process creation and not the calling. In other words I'd like to know which user starts a given process.

If I insert
ping 192.168.100.198
in a bash script, I would like to see that ping was called anyway...

[eferre]

I found out some useful informations:

psacct can do what I was looking for, through command
$ lastcomm
I can monitor each process starting related to the user/group which performed the action.

Now the problem is: I'd like that as soon as a new process starts, a log is directly sent to /var/log/messages... maybe I can do that with a script, using "logger" in it... I'll check it out... meanwhile simpler solutions are well accepted!

Thank you!

[eferre]

Ok, this is my script and it works fine (monitoring nslookup processes only)

Code:

#! /bin/bash

if [ ! -e ./lastcomm_old.txt ]; then
	touch ./lastcomm_old.txt
fi

while true; do
	lastcomm nslookup > ./lastcomm_new.txt
	old=$( wc -l ./lastcomm_old.txt )
	new=$( wc -l ./lastcomm_new.txt )
	n_old=${old%% *}
	n_new=${new%% *}
	let dif=n_new-n_old
	if [ $dif -gt 0 ]; then
		while [ ! $dif -eq 0 ]; do
			command=$( grep -n nslookup lastcomm_new.txt | grep -E ^$dif)
			temp=${command#*:nslookup }
			temp=$( echo $temp )
			user=${temp%%[s,?]*}
			user=$( echo $user )
			logger "nslookup command executed by $user"
			let dif=dif-1			
		done
	fi
	mv -f ./lastcomm_new.txt ./lastcomm_old.txt
	sleep 2s	
done

As you can see it is active because I need to run "lastcomm nslookup" periodically to verify the presence of new nslookups... This is a little raw, but I think I don't have the knowledge to do better...