Hello,
we would like to add the IP address from which the user is connecting to the audit log generated by ConfD.
The current audit log that ConfD generates has the following pattern: audit user: <username>/<session_id>. We would like to change that to also include the IP so that it would look like: audit user: <username>/<IP>/<session_id> or audit user: <username>/<session_id>/<ip>.
Is there a way to do that via ConfD configuration? We have found `/confdConfig/logs/auditLog/external/enabled that enables us to call an external function upon log event, but it does not seem like we could manipulate logs via it. We also found that you could subscribe to the notification socket and make changes to logs from there, but this seems like it needs to be done in all daemons that do that. and won’t work for audit logs generated by ConfD automatically on user interaction.
We also found that it is possible to return accept_info from external authentication (we are using it), and add info that as it says, will be added to the audit log.
It is also possible for the program to return additional information on successful authentication, by using
“accept_info” instead of “accept”:
“accept_info $groups $uid $gid $supplementary_gids $HOME $info\n”
Where $info is some arbitrary text. ConfD will then just append this text to the generated audit log
message (CONFD_EXT_LOGIN).
we have tested that and this info text was just added to the audit log of extauth and then not anymore.
We are using ConfD version 7.7.10.