Hi,
Not sure if this helps, I installed the vanilla sudo on AIX (from the toolbox)
- looks like it matches your compile request:
sudo -V | grep log
Configure options: --prefix=/opt/freeware --sbindir=/opt/freeware/sbin --libdir=/opt/freeware/lib --mandir=/opt/freeware/man --libexecdir=/opt/freeware/libexec --with-logging=syslog --with-logfac=auth --with-pam --with-pam-login --with-env-editor --with-ignore-dot --with-aixauth --with-tty-tickets --with-ldap --with-ldap-conf-file=/opt/freeware/etc/openldap/ldap.conf
Syslog facility if syslog is being used for logging: auth
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
.....
Added user in /etc/sudoers
...
##
## User privilege specification
##
root ALL=(ALL) ALL
red ALL=NOPASSWD: /usr/sbin/slibclean
....
Config of /etc/syslog.conf
....
# *.debug /var/log/syslog.debug100k.out rotate size 100k files 4
# *.crit /var/log/syslog.dailycrit.out rotate time 1d
auth.debug /var/adm/sudo.log
auth.debug @syslog_host
.....
Logged in as red and ran slibclean
cat /var/adm/sudo.log
Oct 26 02:02:41 aix-72 auth|security:err|error sshd[16253234]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Oct 26 02:02:41 aix-72 auth|security:err|error sshd[16253234]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Oct 26 02:02:47 aix-72 auth|security:info sshd[16253234]: Accepted password for red from 118.200.50.172 port 56566 ssh2
Oct 26 02:02:53 aix-72 auth|security:notice sudo: red : TTY=pts/1 ; PWD=/home/red ; USER=root ; COMMAND=/usr/sbin/slibclean
Please let me know if you have further questions.
Keep safe,
------------------------------
--------------------
Antony Steel (Red)
===============
------------------------------
Original Message:
Sent: Fri October 23, 2020 03:42 PM
From: Margaret Buchanan
Subject: Setting/Sending Sudo Syslogs to Remote Server
Hello. Per our sudo healthcheck requirements, we need to send sudo syslogs to a remote qradar server.
Here are the requirements: Sudo must be compiled with one of the following options: with-logging=both or with-logging=syslog. And the syslog facility used must be authpriv or auth.
Can anyone help me identify where all these settings would be made and where to add the remote server ip? Thank you.
------------------------------
Margaret Buchanan
------------------------------