System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Strange issue with /var/adm/sulog.

SOLVED
Go to solution
mpua
Frequent Advisor

Strange issue with /var/adm/sulog.

Hi,

 

We've got a weird issue with the file /var/adm/sulog in serveral of our HPUX 11.23 boxes. The sulog file gets filled with lots of supposed su's (root to root and root to oracle), which nobody are doing. It there must be some process accesing writing on the file but i can't find it, fuser on /var/adm/sulog (even every second) returns nothing. ¿How can I find the culprit?

 

SU 06/25 12:45 + tty?? root-root
SU 06/25 12:45 + tty?? root-oracle
SU 06/25 12:50 + tty?? root-oracle
SU 06/25 12:55 + tty?? root-oracle
SU 06/25 12:59 + tty?? root-oracle
SU 06/25 12:59 + tty?? root-oracle
SU 06/25 13:00 + tty?? root-root
SU 06/25 13:00 + tty?? root-oracle
SU 06/25 13:05 + tty?? root-oracle
SU 06/25 13:10 + tty?? root-oracle
SU 06/25 13:15 + tty?? root-root
SU 06/25 13:15 + tty?? root-oracle
SU 06/25 13:19 + tty?? root-oracle
SU 06/25 13:19 + tty?? root-oracle
SU 06/25 13:20 + tty?? root-oracle
SU 06/25 13:25 + tty?? root-oracle
SU 06/25 13:30 + tty?? root-root
SU 06/25 13:30 + tty?? root-oracle
SU 06/25 13:35 + tty?? root-oracle
SU 06/25 13:39 + tty?? root-oracle
SU 06/25 13:39 + tty?? root-oracle
SU 06/25 13:40 + tty?? root-oracle
SU 06/25 13:45 + tty?? root-root
SU 06/25 13:45 + tty?? root-oracle
SU 06/25 13:50 + tty?? root-oracle
SU 06/25 13:55 + tty?? root-oracle
SU 06/25 13:59 + tty?? root-oracle
SU 06/25 13:59 + tty?? root-oracle
SU 06/25 14:00 + tty?? root-root

 

 

Regards.

9 REPLIES
Ken Grabowski
Respected Contributor

Re: Strange issue with /var/adm/sulog.

You see this kind of log entries when you have an enterprise job scheduler in place. The scheduler runs as a root daemon and every job executed uses su to become the user in the job definition. Do you have a job scheduler installed on this server?

mpua
Frequent Advisor

Re: Strange issue with /var/adm/sulog.

Hi,

 

Yeah, we have a Control-M server and the agent is installed in this box. I've stopped the Control-M just for trying and the sulog file kept filling with the same entries.... so i can't be that, huh?

 

mpua
Frequent Advisor

Re: Strange issue with /var/adm/sulog.

I mean i stopped the Control-M agent in the "affected" machine and the logging didnt stop.

Dennis Handly
Acclaimed Contributor

Re: Strange issue with /var/adm/sulog.

>I stopped the Control-M agent

 

Do you still use cron?

mpua
Frequent Advisor

Re: Strange issue with /var/adm/sulog.

Yeah, there are some cron entries set up in this box but, I've checked all of them and there's no "su" command  in any of the scripts involved.

mpua
Frequent Advisor

Re: Strange issue with /var/adm/sulog.

Bump!

 

Anyone willing to help with this problem??

Matti_Kurkela
Honored Contributor

Re: Strange issue with /var/adm/sulog.

"Brute force" method:

 

Move the su command temporarily to a different name:

# mv /bin/su /bin/su.disabled

 Then wait and see what (if anything) stops working.

 

Once you've found the cause, move the su command back the way it was.

MK
Ken Grabowski
Respected Contributor
Solution

Re: Strange issue with /var/adm/sulog.

You said you stopped the agent and it kept happening. That’s because jobs are queued in advance. You would have to leave the agent off for an extended period and stop processing jobs on that host.  I've used both of those job control systems for years and this is normal behavior. As I mentioned before the job scheduling agent runs as root and uses su to become the defined user for every job it launches. Every su gets logged by the system.  If the size of the file is an issue then you may want to roll and compress the log more often.

 

If you need more detail on why it's happening, you may want to call you Control-M support center.

 

mpua
Frequent Advisor

Re: Strange issue with /var/adm/sulog.

Thanks everybody for your answers. I accept the Control-M explanation so that's it, the size of the file is not a problem so far, it was just that we didnt know the origin of those number of entries and we were scratching our heads lol