HPE Community
Operating System - HP-UX
1753613 Members
5695 Online
108797 Solutions
New Discussion

Re: Ipmon write on syslog instead of his log

 
uxbeginner22
Trusted Contributor

‎05-06-2015 03:46 PM - last edited on ‎05-08-2015 01:12 AM by

‎05-06-2015 03:46 PM - last edited on ‎05-08-2015 01:12 AM by

Ipmon write on syslog instead of his log

I have configured firewall for log,i want to write in a separate file log for ipmon. Reading on net  suggest me to use local0.* or local0.debug on /etc/syslog.conf file.

So i make this

 

local0.notice       /var/adm/syslog/ipmon.log
local0.info     /var/adm/syslog/ipmon.log
local0.err      /var/adm/syslog/ipmon.log
local0.warning      /var/adm/syslog/ipmon.log

 

I have try also local0.debug and local0.* But instead of write on only ipmon.log,it continue to write on syslog.log and ipmon.log. Why? Of course i have restarted ipmon and syslogd

 

Where is the error?

Thanks

 

 

P.S. This thread has been movdd from General to HP-UX > sysadmin. - Hp Forum Moderator

0 Kudos
Reply
2 REPLIES 2
Bill Hassell
Honored Contributor

‎05-07-2015 10:26 AM - edited ‎05-07-2015 10:31 AM

‎05-07-2015 10:26 AM - edited ‎05-07-2015 10:31 AM

Re: Ipmon write on syslog instead of his log

syslogd is one of the most obtuse tools there is, primarily because it has unexpected features such as:

 ...any (I mean *ANY*) space *anywhere* on a line in syslog.conf makes the line into a comment...

...any syntax or format error makes the line into a comment...

 

In other words, you have to get it right because there will be *NO* error messages from syslogd.

 

To take a standard syslog.conf file and create a separate log for local0, first local0.none to syslog.log line:

*.info;mail.none;local0.none    /var/adm/syslog/syslog.log

The above: local0.none prevents local0 messages from getting logged in syslog.log

Then add this additional line:

local0.info     /var/adm/syslog/ipmon.log

And remember: NO SPACES!!!!! The white space between the directives and the logfile is a TAB character!!!

 

Restart syslogd like this:

# kill -HUP $(< /var/run/syslogd.pid)

 

Now test syslogd with logger:

# logger -p local0.info "local0 - info"
# tail /var/adm/syslog/ipmon.log
May  5 09:18:12 5Q:atl1 FontServer[1446]: terminating
May  5 09:27:56 6Q:atl1 krsd[2243]: Delay time is 300 seconds
May  5 10:17:23 5Q:atl1 FontServer[1331]: terminating
May  5 10:23:39 6Q:atl1 krsd[2248]: Delay time is 300 seconds
May  7 13:07:39 6Q:atl1 root: local0 - info

The last line is the logger command result. logger is your tester for syslogd testing.

 

You may be wondering why the 5Q and 6Q codes are showing up.

This is the -v option to starting syslogd (man syslogd).

Edit the file: /etc/rc.config.d/syslogd and add the -v to SYSLOGD_OPTS= like this:

SYSLOGD_OPTS="-D -v"

Then restart syslogd like this:

# kill -HUP $(< /var/run/syslogd.pid)

Now you will have the facility and level codes recorded (see man syslog) and be able to determine (for instance) that ftpd logs using the local5 facility (try to find that in the man pages...).

 



Bill Hassell, sysadmin
0 Kudos
Reply
KathyL1
Valued Contributor

‎05-11-2015 04:44 PM

‎05-11-2015 04:44 PM

Re: Ipmon write on syslog instead of his log

I believe you also have to update /etc/rc.config.d/ipfconf as follows:
IPMON_FLAGS="-D /var/adm/syslog/ipmon.log"

IP Filter will need to be restarted after the change is made.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.