-
Title
How to add the originating hostname to the syslog messages generated by sudo on the Safeguard for Sudo policy server. -
Description
Not applicable -
Cause
Regular /var/log/messages will not log the hostname where the sudo command has been executed. Sample log provided below
Mar 23 17:23:51 <SUDO MASTER HOSTNAME> sudo[4171]: <USERNAME> : TTY=pts/0 ; PWD=/home/<USERNAME> ; USER=root ; TSID=<USERNAME>/root/vastool_20230323_1723_XXXXXX ; COMMAND=/opt/quest/bin/vastool status
-
Resolution
1. Please add the following line in SUDOER file in one of the Safeguard for Sudo server after checking out.
Defaults log_host
2. Now commit the change and sync the policy on the client.
3. Execute a sudo command in the client machine and you will see the machine from where you executed has started appearing in the SUDO master server's message logs (/var/log/messages) as per below:Mar 23 17:26:25 <SUDO MASTER HOSTNAME> sudo[4435]: <USERNAME> : HOST=< EXECUTING HOSTNAME> ; TTY=pts/0 ; PWD=/home/<USERNAME> ; USER=root ; TSID=<USERNAME>/root/vastool_20230323_1726_XXXXXX ; COMMAND=/opt/quest/bin/vastool status
-
Additional Information
You can get the same information from the audit/iolog file located at /var/opt/quest/qpm4u/iolog (example: vastool_20230316_2016_3Psv9B). Open the file or run pmreplay against it all the information may be required should be located there: Log File : vastool_20230316_2016_3Psv9B Date : 2023/03/16 Time : 20:16:03 Client :@ Agent : root@ Command : /opt/quest/bin/vastool status