Perform these steps to set up the syslog server:
1. Uncomment the following lines in the ‘MODULES‘ section of /etc/rsyslog.conf:
# vi /etc/rsyslog.conf $ModLoad imtcp $InputTCPServerRun 514
If you are using UDP then uncomment following lines:
# vi /etc/rsyslog.conf $ModLoad imudp $UDPServerRun 514
2. Configure the rsyslog server to recieve rsyslog events from client. To receive audit logs from client servers, add below lines in the /etc/rsyslog.conf file:
# vi /etc/rsyslog.conf $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log" local6.* ?HostAudit
3. Restart the rsyslog service.
# service rsyslog restart ### CentOS/RHEL 6 # systemctl restart rsyslog ### CentOS/RHEL 7
Client Side configuration
1. Take the backup of the existing /etc/rsyslog.conf.
# cp /etc/rsyslog.conf /etc/rsyslog.conf.bkp
2. Append the following rules to the /etc/rsyslog.conf file for directing the logs to central rsyslog server. “imfile” module has to be loaded on the rsyslogd, otherwise the configuration for directing the auditd log won’t work.
# vi /etc/rsyslog.conf #audit log $ModLoad imfile $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $InputRunFileMonitor *.* @[serverip] ### Add rsyslog server IP here
Make sure you replace @[serverip] with your rsyslog server IP address.
3. Restart the rsyslog service for the changes to take effect.
# service rsyslog restart ### CentOS/RHEL 6 # systemctl restart rsyslog ### CentOS/RHEL 7 -----------------------------------------------
Understanding /etc/group file
/etc/group Defines the default system group entries for system groups that support some system-wide tasks, such as printing, network administration, or electronic mail. Many of these groups have corresponding entries in the /etc/passwd file. Because most of the linux systems use a UPG scheme, a new entry is automatically created in /etc/group when a new user is added. The group name is the same as the username.
Interpreting an /etc/group File Entry
This picture below provides an example of a default /etc/group file entry. Each entry in the /etc/group file contains four fields. A colon separates each field. The following is the format for an entry:
Each entry in the /etc/group file contains four fields: The description and requirement for each field are as follows:
|groupname||Contains the name assigned to the group.|
|group-password (x)||x in this field indicates that shadow passwords are used.|
|GID||Contains the group’s GID number.|
|username-list||List of users that are members of the group|
Each group can have multiple users. Users can also belong to more than one group. The GID stored in the user’s entry in /etc/passwd is the user’s primary group.
Group Account Administration
1. Use the groupadd command to add a group account:
# groupadd [options] group_name
Example: To add a user (tom) to a group (students):
# gpasswd –a tom students
2. Use the groupmod command to modify a group account:
# groupmod [options] group_name
3. Use the gpasswd command to administer group accounts:
# gpasswd [options] group_name
4. Use the groupdel command to delete a group account. The syntax is:
# groupdel group_name
You can remove groups even if there are members in the group. You cannot remove the primary group of any existing user. You must remove the user before removing the group.
5. Use the gpasswd command to administer /etc/group and /etc/gshadow. Every group can have administrators, members, and a password. The syntax is:
# gpasswd [options] group_name
The groups command
The groups command displays the groups that a user belongs to. The following example illustrates that user oracle belongs to two groups, oracle (primary group) and students (secondary group):
# grep oracle /etc/passwd oracle:x:1000:1000:Oracle DBA:/home/oracle/bin/bash
# grep oracle /etc/group oracle:x:1000: students:x:1056:student1,student2,oracle
The groups command (logged on as oracle) verifies these group memberships.
$ whoami oracle $ groups oracle students
The newgrp command
The newgrp command executes a new shell and changes a user’s real group identification. The following example illustrates the group ID before and after running the command. It also illustrates that a new shell is executed.
$ id uid=1000(oracle) gid=1000(oracle) groups=1000(oracle),1066(students)...
Note that the gid equals 1000(oracle).
$ ps PID TTY TIME CMD 20279 pts/0 00:00:00 bash 20411 pts/0 00:00:00 ps
$ newgrp students
$ id uid=1000(oracle) gid=1066(students) groups=1000(oracle),1066(students)...
Note that the gid now equals 1066(students). Also note that a new shell was executed:
$ ps PID TTY TIME CMD 20279 pts/0 00:00:00 bash 20464 pts/0 00:00:00 bash 20486 pts/0 00:00:00 ps