HPE Community
Operating System - HP-UX
1820484 Members
2133 Online
109624 Solutions
New Discussion

How to get Absolute path from syslog

 
Carlos Igual
New Member

‎11-19-2010 02:15 AM

‎11-19-2010 02:15 AM

How to get Absolute path from syslog

My system is a HP-UX B.11.23 U ia64 bastioned.

I need to obtain log of the access to the files in a directory, (with no convention names in the files contained in), and my problem is that records in the syslog file "/.../audfile_XXXXX", are stored with relative paths, so I can´t identify univocaly if a file is contained in my target path.

I´ve been looking for alternative solutions, (audit_track_paths tuneable, auditing system extensions), but almost all of them are related to HP-UX 11 v3.

Any ideas?.

Thanks in advance.
0 Kudos
Reply
7 REPLIES 7
James R. Ferguson
Acclaimed Contributor

‎11-19-2010 04:52 AM

‎11-19-2010 04:52 AM

Re: How to get Absolute path from syslog

HI:

If you know the current working directory of the process that logged the event, then you can form the absolute path from the relative path information in the log.

If you have the ability to modify the software that does the logging you can mitigate your problem too.

Regards!

...JRF...
0 Kudos
Reply
Felix2009
New Member

‎11-22-2010 12:05 AM

‎11-22-2010 12:05 AM

Re: How to get Absolute path from syslog

Thanks James.
Guess I didn´t explain well my problem.
I need to get all the "access" to the files contained in the folder, wherever they came from, and whoever generates them.
So I can´t know the relative path of the program than genetrate the logs, can´t even know the program, or even more, the logs can be genetrated by a user from the command line.

I´m still working in find some information on how to get this logs with "absolute paths" in HP-UX versions lower than 11 v3.

Any ideas will be apreiated.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎11-22-2010 01:55 AM

‎11-22-2010 01:55 AM

Re: How to get Absolute path from syslog

>Guess I didn't explain well my problem.

You're asking for something that requires lots of brute effort. If you can't change what gets logged in syslog, you'll need to scan the whole system to find those files.

Or you need to turn on auditing to log opens and possibly chdir and renames. Then match them up with the syslog times.
0 Kudos
Reply
Carlos Igual
New Member

‎11-22-2010 02:11 AM

‎11-22-2010 02:11 AM

Re: How to get Absolute path from syslog

"You're asking for something that requires lots of brute effort. If you can't change what gets logged in syslog, you'll need to scan the whole system to find those files.

Or you need to turn on auditing to log opens and possibly chdir and renames. Then match them up with the syslog times."

That´s the point.

I´ve already turned on the open, chdir, ... .

Maybe Even matching the syslog times, ¿How coud I deceide if a file apeared in the log is located in my target path?.

I´ve find some posible solutions, as I pointed in my first message, (audit_track_paths, ...) but all are implemented from HP-UX version 11 v3, and my machines are HP-UX 11 v2.

¿Maybe some 3rd party software?.

Thanks in advance.

Carlos.

0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎11-22-2010 04:32 AM

‎11-22-2010 04:32 AM

Re: How to get Absolute path from syslog

Perhaps you need to explain what you are really trying to do? And why can't you change the application to provide what you need without lots of this extra work?

>I've already turned on the open, chdir, ...

Then that should be enough to play back what the kernel is doing and find everything out.

>How could I decide if a file appeared in the log is located in my target path?

By accurately playing back the system calls and computing the absolute path of each open.

>I've find some possible solutions, as I pointed in my first message (audit_track_paths, ...)

Have you tried this on 11.31 to even know they work?
0 Kudos
Reply
Carlos Igual
New Member

‎11-22-2010 05:28 AM

‎11-22-2010 05:28 AM

Re: How to get Absolute path from syslog

The question is as follows:

Need to register all the acesses to the files contained in a specific path, no matter what program or user does.

My problem is that the records in the system log file, depending on the path where the action has been executed, reflects the path in two posible ways.
The first one, is for me the "corrrect" one, because in the log record appears the absolute path of the file afected by the action. So I can identify the file as contained, (or not), into my target path.
In the second one, the path is a relative one, and that's useless for me, because I can't be sure that the record in the system log file ins contained or not in my target path.

I attach a sample, extracted from the system log file, with two acesses to the same file, one reflecting an absolute path and the other a relative one. The file accessed is the same but by the follwing two different commands:

1/ more /audit/R12/entrada/fr12pru2

2/ cd /audit/R12/entrada
more fr12pru2



I hope this clarify.

TIA Carlos.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

‎11-22-2010 11:07 AM

‎11-22-2010 11:07 AM

Re: How to get Absolute path from syslog

>Need to register all the accesses to the files contained in a specific path, no matter what program or user does.

As I said, you need to play back, simulate, the system calls.

>2. cd /audit/R12/entrada
> more fr12pru2

Here is where you need to capture the chdir(2) call and apply that to the following open calls, that don't start with "/".
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.