topic Re: Syslog.conf in Operating System - HP-UX

Syslog.conf

Global Server Operation — Mon, 19 Sep 2005 11:51:19 GMT

I am aksed by an audit to turn on the following logs. Can someone explain to me why some of these are and how to turn them on? Some like the local's, I have not heard of and found on HP's website. Do we really need these turned on?

a. /var/adm/all/kern.log

b. /var/adm/all/user.log

c. /var/adm/all/mail.log

d. /var/adm/all/daemon.log

e. /var/adm/all/auth.log

f. /var/adm/all/syslog.log

g. /var/adm/all/lpr.log

h. /var/adm/all/news.log

i. /var/adm/all/uucp.log

j. /var/adm/all/cron.log

k. /var/adm/all/local0.log

l. /var/adm/all/local1.log

m. /var/adm/all/local2.log

n. /var/adm/all/local3.log

o. /var/adm/all/local4.log

p. /var/adm/all/local5.log

q. /var/adm/all/local6.log

r. /var/adm/all/local7.log

s. /etc/utmp

t. /etc/security/lastlog

u. /var/adm/wtmp

v. /var/adm/messages

w. /var/adm/syslog

x. /var/adm/acct

Re: Syslog.conf

Patrick Wallek — Mon, 19 Sep 2005 11:58:21 GMT

There is no /var/adm/all directory on HP-UX. It sounds like the auditor is trying to use a generic Unix document and apply it specifically to HP-UX. That ain't gonna work!

Re: Syslog.conf

Mel Burslan — Mon, 19 Sep 2005 12:07:45 GMT

What in the world is /var/adm/all directory anyway ? Have never seen or heard about this one at all.

Re: Syslog.conf

Bill Hassell — Mon, 19 Sep 2005 12:18:58 GMT

This is a very likely a generic list from the auditor without a translation for HP-UX (or AIX or Solaris or Linux, etc 'cause they're all different) mixed in with a bunch of customized files. Let's start with the standard HP-UX files in /var/adm:

syslog is called /var/adm/syslog/syslog.log
(I would leave it there even though you can change it's name and location--other HP-UX professionals will have to go searching otherwise)

/var/adm/acct is NOT a file, it is a directory and only used with accounting turned on (not common)

/etc/security/lastlog is not a standard HP-UX file. The last and lastb commands read the special binary files wtmp and btmp in /var/adm. These files can also be decoded with fwtmp.

messages is often renamed to dmesg.log but you have to enable it yourself using cron, something like this:

00,10,20,30,40,50 * * * * dmesg - >> /var/adm/messages

kern user mail daemon syslog lpr news uucp local0 local1 local2 local3 lcoal4 local5 local6 local7:
are known as syslog facilities and normally, these are all logged into the syslog file. But with (extensive) changes to /etc/syslogd.conf, you can have syslogd split each facility into the different files shown above.

You can tell the auditors that all these facilities are enabled and hand them the /etc/syslog.conf file as proof.

Re: Syslog.conf

Global Server Operation — Mon, 19 Sep 2005 12:37:12 GMT

Thanks to all. This has really helped me a lot. I will assign points.