Maybe copy the rule you modified to local_rules and use "overwrite=yes" so
you're not actually modifying the syslog_rules file? But remember to keep
the match for "root" user in there and just extend the list to whatever
user(s) you want.
I'm not sure what changes you made to get it to work, but possibly something
along the lines of this(?):
<rule id="5402" level="3" overwrite="yes">
<if_sid>5400</if_sid>
<match> ; USER=root ; COMMAND=| ; USER=wheel ; COMMAND=</match>
<description>Successful sudo to other user executed</description>
</rule>
On Tue, Oct 25, 2011 at 8:08 AM, Kat <[email protected]> wrote:
> Simple(?) question...
>
> Looking for the best way to log all "sudo su - someuser".
> Obviously, it already flags sudo root, but I am looking to track all
> the users who are authorized to sudo to other accounts and when they
> do it. I could modify the syslog_rules - which worked, but since that
> is a bad thing to do, I was wondering if someone has the best
> local_rule format to do this without making changes to syslog_rules.
>
> thanks
> ~K
