Find the answer to your Linux question:
Page 3 of 3 FirstFirst 1 2 3
Results 21 to 27 of 27
Ok, I found the solution, my error was exactly in the definition of category, the following /etc/named.conf allow me to log my queries in the terminal, in the /var/log/named.log and ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #21
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38

    Ok, I found the solution, my error was exactly in the definition of category, the following /etc/named.conf allow me to log my queries in the terminal, in the /var/log/named.log and /var/log/messages (through rsyslogd) at the same time.

    Code:
    logging {
            channel default_syslog {
    	    syslog daemon;                     
    	    severity info;
    	};
    
    	channel bindlog {
    		file "/var/log/named.log" versions 3 size 20m;
    		print-time yes;
    		print-category yes;
    		print-severity yes;
    	};
    
    	channel debug {
    		stderr;
    		print-time yes;
    		print-category yes;
    		print-severity yes;
    	};
    	category queries { debug; bindlog; default_syslog;};
    };
    Thank you Irithori! I was lost without your help!

  2. #22
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,221
    Glad you figured it out.
    I was a bit busy myself, so I couldnt post.

    have fun
    You must always face the curtain with a bow.

  3. #23
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    I'd like to know if there is a way to log the calling of a command/application through rsyslogd (therefore within 'messages'), as we did before with DNS queries with bind.

    For example if I write in the shell:

    $ ping 192.168.100.198

    or

    $ ls -l

    I'd like to see in messages a log as
    "user eferre: calling ping 192.168.100.198"
    or something similar....

    For my goals it's the same if this log can be generated by rsyslogd directly or by another application, passing the log to rsyslogd (like bind)

  4. #24
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,221
    There is the history command.

    And I think I saw a "logging shell" on freshmeat once.
    Will search as time allows.
    Question here would be: what would stop the user to change to another, non logging shell
    You must always face the curtain with a bow.

  5. #25
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    I'd like to be dependent on the shell the least possible. It means that it's better if I succeed in logging the process creation and not the calling. In other words I'd like to know which user starts a given process.

    If I insert
    ping 192.168.100.198
    in a bash script, I would like to see that ping was called anyway...

  6. #26
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    I found out some useful informations:

    psacct can do what I was looking for, through command
    $ lastcomm
    I can monitor each process starting related to the user/group which performed the action.

    Now the problem is: I'd like that as soon as a new process starts, a log is directly sent to /var/log/messages... maybe I can do that with a script, using "logger" in it... I'll check it out... meanwhile simpler solutions are well accepted!

    Thank you!

  7. #27
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    Ok, this is my script and it works fine (monitoring nslookup processes only)

    Code:
    #! /bin/bash
    
    if [ ! -e ./lastcomm_old.txt ]; then
    	touch ./lastcomm_old.txt
    fi
    
    while true; do
    	lastcomm nslookup > ./lastcomm_new.txt
    	old=$( wc -l ./lastcomm_old.txt )
    	new=$( wc -l ./lastcomm_new.txt )
    	n_old=${old%% *}
    	n_new=${new%% *}
    	let dif=n_new-n_old
    	if [ $dif -gt 0 ]; then
    		while [ ! $dif -eq 0 ]; do
    			command=$( grep -n nslookup lastcomm_new.txt | grep -E ^$dif)
    			temp=${command#*:nslookup }
    			temp=$( echo $temp )
    			user=${temp%%[s,?]*}
    			user=$( echo $user )
    			logger "nslookup command executed by $user"
    			let dif=dif-1			
    		done
    	fi
    	mv -f ./lastcomm_new.txt ./lastcomm_old.txt
    	sleep 2s	
    done
    As you can see it is active because I need to run "lastcomm nslookup" periodically to verify the presence of new nslookups... This is a little raw, but I think I don't have the knowledge to do better...

Page 3 of 3 FirstFirst 1 2 3

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •