Auditing (Message Logging)
The Reflection for Secure IT server provides the following auditing services, which are always enabled.
- Login history
- Currently logged in users
- Failed logins
Output locations are platform-dependent. For details refer to the following table.
Platform |
Login history |
Current login |
Failed login |
HPUX |
/var/adm/wtmp |
/etc/utmp |
/var/adm/btmp |
HPUX |
/var/adm/wtmps |
/etc/utmpx |
/var/adm/btmps |
AIX |
/var/adm/wtmp |
/etc/utmp |
/etc/security/ /etc/security/ |
Solaris |
/var/adm/wtmpx |
/var/adm/utmpx |
/var/adm/loginlog |
RHEL |
/var/log/lastlog /var/log/wtmp |
/var/run/utmp |
/var/log/btmp |
SLES |
/var/log/wtmp |
/var/run/utmp |
/var/log/btmp |
Notes:
- Some platforms write to more than one file.
- On some Linux systems, btmp is not present. The server writes to this database if it is present.
Keywords for Configuring Auditing
The output for sshd and sftp-server messages is affected by both Reflection for Secure IT configuration and syslogd configuration. For example, the following entry in /etc/syslog.conf configures a facility called local6 and sends output from that facility to /var/adm/rsit_log.
local6.info /var/adm/rsit_log
Note: The syntax shown above requires a tab between the two entries.
To configure Reflection for Secure IT to send sshd messages to the local6 facility, include the following line in the server configuration file (/etc/ssh2/sshd2_config).
SysLogFacility local6
The table below summarizes keywords used for configuring auditing.
To |
Use |
Notes |
|---|---|---|
Specify a facility code for sshd messages |
SyslogFacility |
The default is `AUTH'. The value of SyslogFacility must correspond to a facility specified in syslog.conf. |
Specify a facility code for sftp-server messages |
SftpSysLogfacility |
When no value is configured (the default) sftp-server uses the current facility configured for sshd. Use SftpSysLogFacility to specify an alternate facility for sftp server logging. Sending sftp messages to a different facility is often useful for auditing. The value of SftpSysLogFacility must correspond to a facility specified in syslog.conf. |
Specify which categories of sftp server messages are sent to the facility specified by SftpSysLogFacility. |
SftpLogCategory |
The default is `loginlogout,directorylistings,downloads,modifications,uploads', which configures logging of all categories. You can specify any of those options, plus `all', or `none'. |
Specify the level of logging to SysLogFacility and SftpSysLogFacility. |
LogLevel |
After the configuration file is read, messages are processed according to rules defined in syslog.conf. This level applies to both sshd and sftp logging. |
 |