https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538170#M369010 &gt; i have checked with last -R root, but no root entry was there at that time.if somebody edited the /var/adm/wtmp file then last -R will not show<BR /> <BR />last -R only shows logins and logouts. A root user may login and edit every file in the system. You can see these commands that were executed in the root user $HOME directory in the file .sh_history. If that file is not present, then there are no records of what root did when logged in. The .sh_history file is an absolute requirement (for all users) in a secure system. <BR /> <BR />But giving the root password to anyone is always a security risk. The better choice is to use sudo (download from HP) and set rules for each user's capabilities. Mon, 23 Nov 2009 16:45:25 GMT Bill Hassell 2009-11-23T16:45:25Z https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538164#M369004 Is it possible to edit syslog.log file while system is running.if it is possible how to identify who is edited?<BR /><BR />Please help me i am in trable. Mon, 23 Nov 2009 07:09:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538164#M369004 Vijaya Ragavan_1 2009-11-23T07:09:10Z https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538165#M369005 &gt;&gt;Is it possible to edit syslog.log file while system is running.if it is possible how to identify who is edited?<BR /><BR />Please help me i am in trable.&lt;&lt;&lt;<BR /><BR />yes its possible.<BR /><BR />i will assume person who have "root" access or privilege user can on edit the syslog.log<BR /><BR />if syslog carried proper file permission as shown below<BR /><BR />-rw-r--r-- 1 root root 846035 Nov 23 15:09 /var/adm/syslog/syslog.log<BR /><BR />How to check ?<BR /><BR />if auditing as been enable you check, if not<BR /><BR />last -R root |more -&gt; look for the IP address and the time when was the syslog.log has been edited. may give you clue :)<BR /><BR />Hope This helps,<BR /><BR />Regards,<BR />Johnson<BR /> Mon, 23 Nov 2009 07:23:07 GMT https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538165#M369005 Johnson Punniyalingam 2009-11-23T07:23:07Z https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538166#M369006 yeh i think it can be edited while system is running [ i tried it, worked ], and regarding who edited it only root can edit it cause it has 644 permission,<BR /><BR />Now if you want to find which user logged in as root [ if you don give root passwd ] <BR />then you may have to use some other s/w likes powerbroker etc.<BR /><BR />BR,<BR />Kapil+ Mon, 23 Nov 2009 07:26:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538166#M369006 Kapil Jha 2009-11-23T07:26:30Z https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538167#M369007 i have checked with last -R root, but no root entry was there at that time.if somebody edited the /var/adm/wtmp file then last -R will not show. Mon, 23 Nov 2009 07:32:32 GMT https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538167#M369007 Vijaya Ragavan_1 2009-11-23T07:32:32Z https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538168#M369008 if your user can directly enter root passwd, then its pretty difficult to figure it out.<BR /><BR />For future you can use 'script' command in profile file [ to capture everything a user do ] and then save it somewhere for your referemce.<BR /><BR />FOr the time being I think its not possible who edited.<BR /><BR />BR,<BR />Kapil+ Mon, 23 Nov 2009 07:46:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538168#M369008 Kapil Jha 2009-11-23T07:46:14Z https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538169#M369009 Hi,<BR /><BR />The best way who accessed this file use either a script with cronjob OR install HIDS software from HP. The second way is great of course. Go to this link to see first method:<BR /><A href="http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980" target="_blank">http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1377980</A><BR /><BR />if prefer the second method:<BR /><A href="https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS" target="_blank">https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUX-HIDS</A><BR /><BR />it is up to you,<BR /> Mon, 23 Nov 2009 08:47:05 GMT https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538169#M369009 Hakki Aydin Ucar 2009-11-23T08:47:05Z https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538170#M369010 &gt; i have checked with last -R root, but no root entry was there at that time.if somebody edited the /var/adm/wtmp file then last -R will not show<BR /> <BR />last -R only shows logins and logouts. A root user may login and edit every file in the system. You can see these commands that were executed in the root user $HOME directory in the file .sh_history. If that file is not present, then there are no records of what root did when logged in. The .sh_history file is an absolute requirement (for all users) in a secure system. <BR /> <BR />But giving the root password to anyone is always a security risk. The better choice is to use sudo (download from HP) and set rules for each user's capabilities. Mon, 23 Nov 2009 16:45:25 GMT https://community.hpe.com/t5/operating-system-hp-ux/syslog-edition/m-p/4538170#M369010 Bill Hassell 2009-11-23T16:45:25Z