topic How to get Absolute path from syslog in Operating System - HP-UX

How to get Absolute path from syslog

Carlos Igual — Fri, 19 Nov 2010 10:15:41 GMT

My system is a HP-UX B.11.23 U ia64 bastioned.

I need to obtain log of the access to the files in a directory, (with no convention names in the files contained in), and my problem is that records in the syslog file "/.../audfile_XXXXX", are stored with relative paths, so I can´t identify univocaly if a file is contained in my target path.

I´ve been looking for alternative solutions, (audit_track_paths tuneable, auditing system extensions), but almost all of them are related to HP-UX 11 v3.

Any ideas?.

Thanks in advance.

Re: How to get Absolute path from syslog

James R. Ferguson — Fri, 19 Nov 2010 12:52:19 GMT

HI:

If you know the current working directory of the process that logged the event, then you can form the absolute path from the relative path information in the log.

If you have the ability to modify the software that does the logging you can mitigate your problem too.

Regards!

...JRF...

Re: How to get Absolute path from syslog

Felix2009 — Mon, 22 Nov 2010 08:05:19 GMT

Thanks James.
Guess I didnÂ´t explain well my problem.
I need to get all the "access" to the files contained in the folder, wherever they came from, and whoever generates them.
So I canÂ´t know the relative path of the program than genetrate the logs, canÂ´t even know the program, or even more, the logs can be genetrated by a user from the command line.

IÂ´m still working in find some information on how to get this logs with "absolute paths" in HP-UX versions lower than 11 v3.

Any ideas will be apreiated.

Re: How to get Absolute path from syslog

Dennis Handly — Mon, 22 Nov 2010 09:55:03 GMT

>Guess I didn't explain well my problem.

You're asking for something that requires lots of brute effort. If you can't change what gets logged in syslog, you'll need to scan the whole system to find those files.

Or you need to turn on auditing to log opens and possibly chdir and renames. Then match them up with the syslog times.

Re: How to get Absolute path from syslog

Carlos Igual — Mon, 22 Nov 2010 10:11:57 GMT

"You're asking for something that requires lots of brute effort. If you can't change what gets logged in syslog, you'll need to scan the whole system to find those files.

Or you need to turn on auditing to log opens and possibly chdir and renames. Then match them up with the syslog times."

ThatÂ´s the point.

IÂ´ve already turned on the open, chdir, ... .

Maybe Even matching the syslog times, Â¿How coud I deceide if a file apeared in the log is located in my target path?.

IÂ´ve find some posible solutions, as I pointed in my first message, (audit_track_paths, ...) but all are implemented from HP-UX version 11 v3, and my machines are HP-UX 11 v2.

Â¿Maybe some 3rd party software?.

Thanks in advance.

Carlos.

Re: How to get Absolute path from syslog

Dennis Handly — Mon, 22 Nov 2010 12:32:04 GMT

Perhaps you need to explain what you are really trying to do? And why can't you change the application to provide what you need without lots of this extra work?

>I've already turned on the open, chdir, ...

Then that should be enough to play back what the kernel is doing and find everything out.

>How could I decide if a file appeared in the log is located in my target path?

By accurately playing back the system calls and computing the absolute path of each open.

>I've find some possible solutions, as I pointed in my first message (audit_track_paths, ...)

Have you tried this on 11.31 to even know they work?

Re: How to get Absolute path from syslog

Carlos Igual — Mon, 22 Nov 2010 13:28:01 GMT

The question is as follows:

Need to register all the acesses to the files contained in a specific path, no matter what program or user does.

My problem is that the records in the system log file, depending on the path where the action has been executed, reflects the path in two posible ways.
The first one, is for me the "corrrect" one, because in the log record appears the absolute path of the file afected by the action. So I can identify the file as contained, (or not), into my target path.
In the second one, the path is a relative one, and that's useless for me, because I can't be sure that the record in the system log file ins contained or not in my target path.

I attach a sample, extracted from the system log file, with two acesses to the same file, one reflecting an absolute path and the other a relative one. The file accessed is the same but by the follwing two different commands:

1/ more /audit/R12/entrada/fr12pru2

2/ cd /audit/R12/entrada
more fr12pru2

I hope this clarify.

TIA Carlos.

Re: How to get Absolute path from syslog

Dennis Handly — Mon, 22 Nov 2010 19:07:33 GMT

>Need to register all the accesses to the files contained in a specific path, no matter what program or user does.

As I said, you need to play back, simulate, the system calls.

>2. cd /audit/R12/entrada
> more fr12pru2

Here is where you need to capture the chdir(2) call and apply that to the following open calls, that don't start with "/".