Pacific Simplicity - remote logging
http://www.pacificsimplicity.ca/category/blog-tags/remote-logging
enRemote Logging Using Syslog And Logging Shell Commands Remotely
http://www.pacificsimplicity.ca/blog/remote-logging-using-syslog-and-logging-shell-commands-remotely
<div class="field field-name-field-image field-type-image field-label-hidden view-mode-rss view-mode-rss">
<div class="field-items">
<figure class="field-item">
<img typeof="foaf:Image" class="image-style-none" src="http://www.pacificsimplicity.ca/sites/default/files/uploads/default_images/article-icon.png" alt="" /> </figure>
</div>
</div>
<div class="field field-name-body field-type-text-with-summary field-label-hidden view-mode-rss view-mode-rss"><div class="field-items"><div class="field-item even" property="content:encoded"><p>While trying to come up with a simple keylogging solution that provides remote logging, I came across a pretty good solution of using the audit package and altering bash.</p>
<p>One of the problems I came across was that many of the keyloggers could not log any commands sent through a SSH connection - this does on Fedora anyways.</p>
<p>Edit /etc/rsyslog.conf and uncoment this line:</p>
<p><span class="geshifilter"><code class="cpp geshifilter-cpp">vi /etc/rsyslog.conf</code></span></p>
<div class="geshifilter">
<div class="geshifilter-cpp" style="font-family: monospace;">*.* @192.168.18.1:514>/code>
<p><b>Note: this is where the remote server is.</b></p>
<p>Install and run the following:</p>
<p><code>yum install -y audispd-plugins pasacct<br />
chkconfig psacct on<br />
chkconfig rsyslog on<br />
service rsyslog start<br />
service psacct start</p></div>
</div>
<p>Edit the conf file to look like the following:</p>
<div class="geshifilter">
<div class="geshifilter-cpp" style="font-family: monospace;">vi /etc/audisp/audisp-remote.conf
<p>remote_server = 192.168.18.1<br />
port = 514<br />
##local_port =<br />
transport = udp</p></div>
</div>
<p>Save the file and edit the following file:</p>
<div class="geshifilter">
<div class="geshifilter-cpp" style="font-family: monospace;">vi /etc/audisp/plugins.d/syslog.conf
<p># This file controls the configuration of the<br />
# syslog plugin. It simply takes events and writes<br />
# them to syslog.</p>
<p>active = yes<br />
direction = out<br />
path = builtin_syslog<br />
type = builtin<br />
args = LOG_INFO<br />
format = string</p></div>
</div>
<p>Save the file and restart rsyslog:</p>
<p><span class="geshifilter"><code class="cpp geshifilter-cpp">service rsyslog restart</code></span></p>
<p>Onto altering the bash shell, but first determine what version the system is using already:</p>
<div class="geshifilter">
<div class="geshifilter-cpp" style="font-family: monospace;"># bash --version<br />
GNU bash, version 4.1.2(1)-release (i386-redhat-linux-gnu)<br />
Copyright (C) 2009 Free Software Foundation, Inc.<br />
License GPLv3+: GNU GPL version 3 or later <<a href="http://gnu.org/licenses/gpl.html>
<p>This">http://gnu.org/licenses/gpl.html></p>
<p>This</a> is free software; you are free to change and redistribute it.<br />
There is NO WARRANTY, to the extent permitted by law.</p></div>
</div>
<p>The version is 4.1.2, but GNU project has the next version of bash at 4.2 - so I am going to use that instead:</p>
<div class="geshifilter">
<div class="geshifilter-cpp" style="font-family: monospace;">wget <a href="http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz<br />
tar">http://ftp.gnu.org/gnu/bash/bash-4.2.tar.gz<br />
tar</a> -xzvf bash-4.2.tar.gz<br />
cd bash-4.2</div>
</div>
<p>Edit the config file and enable syslog by making the directive look as follows:</p>
<div class="geshifilter">
<div class="geshifilter-cpp" style="font-family: monospace;">vi config-top.h
<p>#define SYSLOG_HISTORY<br />
#if defined (SYSLOG_HISTORY)<br />
# define SYSLOG_FACILITY LOG_USER<br />
# define SYSLOG_LEVEL LOG_INFO<br />
#endif</p></div>
</div>
<p>Onto the building:</p>
<div class="geshifilter">
<div class="geshifilter-cpp" style="font-family: monospace;">./configure<br />
make<br />
make install</div>
</div>
<p>Replace bash</p>
<div class="geshifilter">
<div class="geshifilter-cpp" style="font-family: monospace;">mv bash bash2<br />
mv bash2 /bin<br />
cd /bin<br />
bash2<br />
mv bash bashorig<br />
bashorig<br />
mv bash2 bash<br />
bash</div>
</div>
<p>Optional: rm bashorig -rf</p>
<p><span class="geshifilter"><code class="cpp geshifilter-cpp">service rsyslog restart</code></span></p>
<p>Now on your remote server syslog should be logging everything.</p>
<h3>References</h3>
<p><a href="http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-accounting.html">http://www.cyberciti.biz/tips/howto-log-user-activity-using-process-acco...</a><br /><a href="http://www.timkennedy.net/2010/12/07/recording-user-commands-to-syslog-on-secure-systems">http://www.timkennedy.net/2010/12/07/recording-user-commands-to-syslog-o...</a><br /><a href="http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/">http://blog.rootshell.be/2009/02/28/bash-history-to-syslog/</a><br /><a href="http://www.gnu.org/software/bash/bash.html">http://www.gnu.org/software/bash/bash.html</a><br /><a href="http://serverfault.com/questions/202044/sending-audit-logs-to-syslog-server">http://serverfault.com/questions/202044/sending-audit-logs-to-syslog-server</a></p>
</div></div></div><section class="field field-name-taxonomy-vocabulary-2 field-type-taxonomy-term-reference field-label-above view-mode-rss view-mode-rss"><h2 class="field-label">Blog tags: </h2><ul class="field-items"><li class="field-item even"><a href="/category/blog-tags/bash" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">Bash</a></li><li class="field-item odd"><a href="/category/blog-tags/rsyslog" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">rsyslog</a></li><li class="field-item even"><a href="/category/blog-tags/syslog" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">syslog</a></li><li class="field-item odd"><a href="/category/blog-tags/remote-logging" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">remote logging</a></li><li class="field-item even"><a href="/category/blog-tags/ssh" typeof="skos:Concept" property="rdfs:label skos:prefLabel" datatype="">ssh</a></li></ul></section>Mon, 31 Oct 2011 03:35:46 +0000admin59 at http://www.pacificsimplicity.cahttp://www.pacificsimplicity.ca/blog/remote-logging-using-syslog-and-logging-shell-commands-remotely#comments