audit users logon attempts to su - root

[newcg]

Hi,
Is there a way to audit users who do:
su -
and
1.) log to a file or
2.) send this failed/successful attempts a snmp/syslog server...?
In aix audit the streams.out only list the login part from the original telnet login. If you su to user2, then try su - to root, it still says youre as user1 AND NOT as user2.

event login status time command
S_PASSWD_READ user1 OK Tue Feb 06 18:35:00 2007 su
USER_SU user1 FAIL Tue Feb 06 18:35:02 2007 su

Here, I telnet in as user1 and then su - user2, then su - root. But the login still says user1 from the original telnet session user logging in. It should say user2.
event login status time command
--------------- -------- ----------- ------------------------ ---------
S_PASSWD_READ user1 OK Tue Feb 06 18:35:18 2007 su
USER_SU user1 FAIL Tue Feb 06 18:35:18 2007 su

start:
binmode = off
streammode =on

bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536

stream:
cmds = /etc/security/audit/streamcmds

classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,
PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
system = USER_Change,GROUP_Change,USER_Create,GROUP_Create
default = login
init = USER_Login, USER_Logout, USER_Exit, USER_Logout

users:
root = general
user1 = general,init,system

--can anyone help.
thanks.

 

[newcg]

Basically, I need to know from which user to which user is the person trying to su to ? failed or succeed.

 

[KenCunningham]

/var/adm/sulog?

 

[newcg]

That's good. I can use that.
But is there a way to send this info to a syslog server/SNMP server when someone tried to su to / login to someone..? I need an alert/alarm when a su - root happens.
thanks.

 

[hfaix]

if /var/adm/sulog doesn't work......

Take a look at

http://www.redbooks.ibm.com/redbooks/pdfs/sg246020.pdf.

Search for USER_SU

 

[newcg]

I got it to work with syslog. thanks.