安装sudo和rsyslog

[root@localhost ~]# rpm -qa|egrep "sudo|rsyslog"

sudo-1.8.6p7-16.el7.x86_64

rsyslog-7.4.7-12.el7.x86_64

rsyslog-mmjsonparse-7.4.7-12.el7.x86_64

配置/etc/sudoers

[root@localhost ~]# echo "Defaults      logfile=/var/log/sudo.log">> /etc/sudoers

[root@localhost ~]# tail -1 /etc/sudoers

Defaults      logfile=/var/log/sudo.log  

检查语法：

[root@localhost ~]# visudo -c

/etc/sudoers: 

配置系统日志/etc/syslog.conf

[root@localhost ~]# echo "local2.debug    /var/log/sudo.log">> /etc/rsyslog.conf

重启rsyslog

systemctl restart rsyslog.service

测试：

[root@localhost ~]# su - user1

Last login: Thu Mar 30 16:11:46 CST 2017 on pts/0

[user1@localhost ~]$ sudo useradd aa

 

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

 

    #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.

 

[sudo] password for user1: 

user1 is not in the sudoers file.  This incident will be reported.

[user1@localhost ~]$ logout

You have new mail in /var/spool/mail/root

[root@localhost ~]# ll /var/log/sudo.log  

-rw-------. 1 root user1 119 Mar 31 13:44 /var/log/sudo.log

[root@localhost ~]# cat /var/log/sudo.log

Mar 31 13:44:42 : user1 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/user1 ;

    USER=root ; COMMAND=/sbin/useradd aa

本博问出至老男孩视频