需要在 Solaris 中配置审计日志,但我遇到了一个问题。有两台 SunOS 服务器之前已配置。当我开始分析日志时,我发现在 Solaris 10 中我可以看到登录/注销的用户的名称,但在 Solaris 11 中看不到。Solaris 10 审计事件示例:
May 13 10:58:46 server audit: [ID 702911 audit.notice] login - ssh ok session 1722469439 by username as username:group from pc1.my.domain
May 13 10:59:10 server audit: [ID 702911 audit.notice] logout ok session 1722469439 by username as username:group from pc1.my.domain
针对同一用户的 Solaris 11 示例:
May 13 10:59:53 server audit: [ID 702911 audit.notice] login - ssh ok in global
May 13 11:00:13 server audit: [ID 702911 audit.notice] logout ok in global
阅读 Solaris 11 审计概念页面并没有给我答案。在两种情况下/etc/security/audit_event文件看起来一样。我只检查出它们包含:
6152:AUE_login:login - local:lo
6153:AUE_logout:logout:lo
有人能给我建议一下还需要检查什么吗?