Re: FTP logging file is /var/adm/syslog/ftp.log

Delecole · ‎10-01-2006

Hi there !
I need to configure my system to have the FTP events logged into /var/adm/syslog/ftp.log, instead of the standard syslog.log (Where the events are actually logged).

I have tried modifying the parameter of the ftpd daemon in inetd.conf, but no success :

-------------
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l /var/adm/syslog/ftp.log
-------------

Any idea how to do this ?
Many Thanks !!

Jaime Bolanos Rojas. · ‎10-01-2006

Delecole,

Did you already type inetd -c to re-read the configuration file?

Regards,

Jaime.

Work hard when the need comes out.

Delecole · ‎10-01-2006

Sure, but it goes always to the syslog.log.

I think I need to configure this ... not sure how ?
I've heard about the ftpaccess file, which is not existing on my system, and seems to be a config file ... but didn;t find how to configure the ftp.lo log file instead of syslog.log ?!?

Jaime Bolanos Rojas. · ‎10-02-2006

Delecole,

Sorry about the delay, looks the the forums are slow today, you might want to check this old thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=76349&admit=-682735245+1159792729166+28353475

Regards,

Jaime.

Work hard when the need comes out.

Bill Hassell · ‎10-02-2006

The ftpd man page is somewhat helpful here. The -l has no argument which means you cannot specify a file with -l. But missing from the man page is the 'facility' name used by ftpd. It turns out that ftpd uses LOCAL5 as the facility and INFO for common usage messages. You can discover the facility and level for every syslogd message by turning on the -v option for syslogd. The other useful option is to turn on -D. Both of these are recomended. To decode the 2-char code added by the -v option, see man 3c syslogd.

So in syslog.conf, you have to make an exception for LOCAL5 so it doesn't go into syslog.log and explicitly code the new file, something like this:

local5.info /var/adm/syslog/ftp.log
*.info;mail.none;local5.none /var/adm/syslog/syslog.log

So the local5.info line was added (location in the file is unimportant -- every line is processed one at a time). All LOCAL5 messages will be written to ftp.log. The second line tells syslog write everything (*) at the info level to syslog.log, but to ignore the mail and local5 facilities.

The ftpaccess file allows you to further refine your ftp access. See the man page for ftpaccess. If you do not have ftpaccess, you are running a very obsolete version of HP-UX.

Bill Hassell, sysadmin

Delecole · ‎10-02-2006

Thanks Jaime.

I have verified my system, but do not have any /etc/syslog.conf file.
I just have the 2 following files, but can't find any entry for ftp nor local5 into them ;-(

root_nfmemm1# pwd
/etc/syslog-ng
root_nfmemm1# ls
syslog-ng.conf

-----

root_nfmemm1# pwd
/etc
root_nfmemm1# ls syslog.conf.presyslog-ng
syslog.conf.presyslog-ng

We getting closer ... but still do not have the solution ;-))

Delecole · ‎10-02-2006

thanks Bill for your input too ... we coming closer and closer.

As I said in my previous post, I do not have any syslog.log file ?!?

also, I understand doing the modifications in the syslog.log file are sufficient for redirecting the ftp entries to any log file I want; without I have to change the ftpaccess file, right ?

Many thanks so far ...

Jaime Bolanos Rojas. · ‎10-02-2006

Delecole,

:-), Check on this directory, you might find the files you are looking for: /usr/newconfig/etc

Regards,

Jaime.

Work hard when the need comes out.

Delecole · ‎10-02-2006

Looking for the config files used :

root_nfmemm1# ps -ef | grep syslog
root 814 1 0 Sep 24 ? 0:34 /usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf
root 2003 1 0 Sep 24 ? 0:00 /usr/local/sbin/syslog-ng -f /etc/syslog-ng/syslog-ng.conf
tnm 3141 2972 0 Sep 24 ? 0:59 /SA/osap/prog/syslog_dc

Looking the syslog-ng.conf :

root_nfmemm1# cd /etc/syslog-ng
root_nfmemm1# vi syslog-ng.conf

-----------

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on HP-UX. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(8) for more information.
#
# 20000925 gb@sysfive.com

options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys { pipe("/dev/log" pad_size(2048)); unix-dgram("/dev/log.un"); inter
nal(); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/adm/syslog/syslog.log"); };
destination d_mail { file("/var/adm/syslog/mail.log"); };
destination d_mlrt { usertty("root"); };
destination d_mlal { usertty("*"); };

destination tnm { udp("127.0.0.1" port(32145)); };

filter f_filter1 { facility(mail) and level(debug); };
filter f_filter3 { level(alert); };
filter f_filter4 { level(emerg); };

log { source(s_sys); filter(f_filter1); destination(d_mail); };

log { source(s_sys); destination(d_mesg); };

log { source(s_sys); filter(f_filter3); destination(d_cons);
destination(d_mlrt); };
log { source(s_sys); filter(f_filter4); destination(d_mlal); };

log { source(s_sys); destination(tnm); };

I do not see anything related to LOCAL5 nr ftp here .... not sure what to modify.

Ivan Krastev · ‎10-02-2006

Hi Delecole,

for syslog-ng try this:
in syslog-ng.conf add:

destination ftpd { file("/var/adm/syslog/ftp.log"); };

filter f_ftpd { facility(local5); };

log { source(src); filter(f_ftpd); destination(ftpd); };

regards,
ivan

Delecole · ‎10-02-2006

thanks Ivan.

I've made the changed according to your advise, but still the FTP messages are sent to the syslog.log file ...
Not sure I have to restart syslog-ng some way ?

----------

options { sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys { pipe("/dev/log" pad_size(2048)); unix-dgram("/dev/log.un"); internal(); };

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/adm/syslog/syslog.log"); };
destination d_mail { file("/var/adm/syslog/mail.log"); };
destination d_mlrt { usertty("root"); };
destination d_mlal { usertty("*"); };
destination ftpd { file("/var/adm/syslog/ftp.log"); };

destination tnm { udp("127.0.0.1" port(32145)); };

filter f_filter1 { facility(mail) and level(debug); };
filter f_filter3 { level(alert); };
filter f_filter4 { level(emerg); };
filter f_ftpd { facility(local5); };

log { source(s_sys); filter(f_filter1); destination(d_mail); };

log { source(s_sys); destination(d_mesg); };

log { source(s_sys); filter(f_filter3); destination(d_cons);
destination(d_mlrt); };
log { source(s_sys); filter(f_filter4); destination(d_mlal); };

log { source(s_sys); destination(tnm); };

log { source(src); filter(f_ftpd); destination(ftpd); };

Ivan Krastev · ‎10-02-2006

Of course after do changes in syslog-ng.conf - reload service.

ivan

Delecole · ‎10-02-2006

thanks for confirming this - and sorry for the stupid question, but do you know how to restart this "service" ?

Many Thanks !!

Ivan Krastev · ‎10-02-2006

Hi again,

/sbin/init.d/syslog-ng stop
/sbin/init.d/syslog-ng start

Delecole · ‎10-02-2006

the syslog-ng files you specified are not on my system.

so I did the following, but it returned an error concerning the "src" :

root_nfm036# pwd
/sbin/init.d
root_nfm036# ./syslogng stop
root_nfm036# ./syslogng start
Changing permissions on special file /dev/log
unresolved reference: src
Error initializing configuration, exiting.
EXIT CODE: 1

?

Bill Hassell · ‎10-02-2006

Sorry to take so long to get back to you. syslog-ng does not exist on your system. It is freeware and not supplied on standard HP-UX. Someone (with root login) has removed your /etc/syslog.conf file as it is standard with all versions of HP-UX. To restore the standard file, do this:

cp /usr/newconfig/etc/syslog.conf /etc/syslog.conf

Then edit that file and make these two changes:

Insert the line:
local5.info /var/adm/syslog/ftp.log

and change the line with syslog.log on it to read:

*.info;mail.none;local5.none /var/adm/syslog/syslog.log

Note: The separation between the facility.level entry and the full pathname must be a TAB, not spaces.

Once the /etc/syslog.conf has been edited, tell syslogd to reread the config file:

kill -HUP $(cat /etc/syslog.pid)

Verify that syslog reqad the file with:

tail /var/adm/syslog/syslog.log

You'll see the syslogd restart message. Now try your ftp commands.

Bill Hassell, sysadmin

Bill Hassell · ‎10-02-2006

Oops, I misread the author of the syslog-ng information. Someone has indeed loaded syslog-ng on your system. That changes everything and explains why syslog.conf is gone. You'll have to read the syslog-ng documentation to get all this to work.

Bill Hassell, sysadmin

Ivan Krastev · ‎10-02-2006

Here's example :

#new log file
destination ftpd { file("/var/adm/syslog/ftp.log"); };

#filter1
filter f_ftpd { facility(local5); };

#filter2
filter f_ftpd { program("ftpd"); };

#log
log { source(s_sys); filter(f_ftpd); destination(ftpd); };

You can use filter1 or filter2. After changing config file reload syslog-ng service.

regards,
ivan

Delecole · ‎10-02-2006

Bill,
Many thanks for the clarification ... I installed HP-UX myself (11.i), and I'm sure nobody touched the syslog.conf (I have the exact same syslog-ng file on all my machines in my lab.)

Ivan,
You got a 10 points ;-)
I have added the following lines, and restarted the daemon without error this time.

destination ftpd { file("/var/adm/syslog/ftp.log"); };
---
filter f_ftpd { facility(local5); };
filter f_ftpd { program("ftpd"); };
---
log { source(s_sys); filter(f_ftpd); destination(ftpd); };

I have now 2 questions to close the thread :
- I see the event coming in the ftp/log, but they are still duplicated in the syslog.log - Why is it so, and may I just send the events to ftp.log ?
- What Am I exactly doing with the estination, filter and log ??
I do not really understand the lines I've added.

Many Thanks !

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: FTP logging file is /var/adm/syslog/ftp.log

FTP logging file is /var/adm/syslog/ftp.log