syslog: Logging su Attempts & Failed Logins

From a security perspective when configuring system logging, I like to configure the syslogd daemon to monitor the following.

I like to log each time a user logs into my systems, as well as all attempts to su to another user. To log all su attempts, the file /var/adm/sulog can be created (in recent releases of Solaris, this file is created by default):

 # touch /var/adm/sulog

To log all successful and unsuccessful logins, you will first need to set the variable:

 SYSLOG_FAILED_LOGINS in /etc/default/login to the value 0

Once the variable is adjusted, you will need to create a log file to store the login attempts:

 # touch /var/adm/loginlog

After the log file is created, the auth priority needs to be added to /etc/syslog.conf:

 auth.debug /var/adm/loginlog

With the loginlog and sulog files in place, it is relatively easy to see who accessed a given system at time X, and who tried to become the super user.

One thing to note when editing /etc/syslog.conf, you can't use spaces, you must use tabs. Also, after changing the configuration, make sure that you restart syslogd, on Solaris 10 Update 1 or newer you'd use svcadm restart svc:/system/system-log:default.