HPE Community
Operating System - HP-UX
1833758 Members
3042 Online
110063 Solutions
New Discussion

Re: how to get rid of 'su' in syslog.log

 
SOLVED
Go to solution
Lalo_Weng
Advisor

‎12-03-2002 01:33 AM

‎12-03-2002 01:33 AM

how to get rid of 'su' in syslog.log

Hi,

I have too many 'su' in my syslog file. I don't want to record this action in my syslog file. How to achieve this?

Thanks in advance.
Keep finding is the way.
0 Kudos
Reply
3 REPLIES 3
eran maor
Honored Contributor

‎12-03-2002 01:40 AM

‎12-03-2002 01:40 AM

Solution

Re: how to get rid of 'su' in syslog.log

Hi

you need to config the syslog config file that is in /etc/syslog.conf

To stop the messages from going to syslog, change your /etc/syslog.conf file:
FROM:
*.info;mail.none /var/adm/syslog/syslog.log

TO:
*.info;auth.none;mail.none /var/adm/syslog/syslog.log

Optionally, the messages can be recorded to another log using:
auth.info /usr/adm/cherylgSUlog

# touch /usr/adm/cherylgSUlog
# ll cherylg*
-rw-rw-rw- 1 root 0 Mar 15 11:55 cherylgSUlog

Stop and Restart syslog:
# kill `cat /var/run/syslog.pid`
# /usr/sbin/syslogd -D
#
# ps -ef |grep syslog
root 18350 1 0 11:58:09 0:00 /usr/sbin/syslogd -D


Prior to changing configuration, you would receive this in syslog.log:
Mar 15 11:51:07 fletch : su : + td cag-root

With the new /etc/syslog.conf configuration, there are NO new messages in syslog:
# tail /var/adm/syslog/syslog.log
Mar 15 11:56:36 fletch syslogd: restart
Mar 15 11:58:01 fletch syslogd: going down on signal 15
Mar 15 11:58:09 fletch syslogd: restart

New entries are being recorded to my su log:
# cat /usr/adm/cherylgSUlog
Mar 15 11:58:44 fletch : su : - tc cag-toot
Mar 15 11:58:54 fletch : su : + tc cag-root

AND to the /var/adm/sulog:
# tail /var/adm/sulog
SU 03/15 11:51 + td cag-root
SU 03/15 11:58 - tc cag-toot
SU 03/15 11:58 + tc cag-root


love computers
Reply
Chris Wilshaw
Honored Contributor

‎12-03-2002 01:43 AM

‎12-03-2002 01:43 AM

Re: how to get rid of 'su' in syslog.log

Look at /etc/syslog.conf

Change the line containing syslog.log to

*.info;auth.none;mail.none /var/adm/syslog/syslog.log

Then

kill -HUP `cat /etc/syslog.pid`

This will then reconfigure syslogd to send no messages of the types AUTH to syslog.log (su is part of the AUTH subset). su logging will still run to sulog, so you don't lose any of the information.
Reply
T G Manikandan
Honored Contributor

‎12-03-2002 03:05 AM

‎12-03-2002 03:05 AM

Re: how to get rid of 'su' in syslog.log

check this hp doc

http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062909947
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.