Operating System - HP-UX
1834009 Members
2044 Online
110063 Solutions
New Discussion

HP-UX event logging question..

 
SOLVED
Go to solution
Mark Stewart
Frequent Advisor

HP-UX event logging question..

I currently use the event logging feature that can be turned on in SAM(and using SAM to view the logs) for some added security on my workstations. My question is this, there appears to be a lot of "Close" failures(I audit failures of this, as well as success and failures of "Open") when no one is logged into the machine. In the logs, it lists the username as "????????".

Anybody have any explanation of why this is happening or what it might be? Thanks!
8 REPLIES 8
Michael Steele_2
Honored Contributor

Re: HP-UX event logging question..

/etc/wtmp and /etc/utmp are probably corrupt. This will happen within 12 months: No year digit in the time stamp. Test with:

# last account
# lastb account
# finger account

Clean in SAM > routine task, or,

# cat /dev/null > /etc/wtmp, etc.
Support Fatherhood - Stop Family Law
Mark Stewart
Frequent Advisor

Re: HP-UX event logging question..

i did as you said, cat-ing the files and it appears to have had no effect.. any other suggestions.. What exactly were you talking about, when you mentioned doing it with SAM?
Michael Steele_2
Honored Contributor

Re: HP-UX event logging question..

What about :

# cat /dev/null > /etc/utmp?
Support Fatherhood - Stop Family Law
Steven E. Protter
Exalted Contributor

Re: HP-UX event logging question..

Sam has a routine tasks feature that lets you trim down certain logs.

Its a good idea to trim btmp and wtmp to zero once in a while.

I do it via script, once a week.

> /var/adm/syslog/btmp
> /var/adm/syslog/wtmp

This clears any corruption that may have occurred in these files. It also keeps them from getting to big.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Mark Stewart
Frequent Advisor

Re: HP-UX event logging question..

yeah, i did it to both of the files and it didn't stop the weird close events from being logged overnight last night..

any other possibilities?
Michael Steele_2
Honored Contributor
Solution

Re: HP-UX event logging question..

I don't reccommend SAM for a couple of reasons and you may be hitting one, and that is patching. SAM needs lots of patching. Maybe 64.

Follow this navigation and try:

maintenance and support for HP products > individual patches > HP-UX > version > SAM
Support Fatherhood - Stop Family Law
Mark Stewart
Frequent Advisor

Re: HP-UX event logging question..

I'm using SAM to do the logging setup, but is that actually handled by the SAM tool? I would think it was done externally to that.. But I could be totally off on thinking that. I really don't have any other options for the security related logging I have to do.

I did the commands to reset/zero the two files from the command prompt though..
Michael Steele_2
Honored Contributor

Re: HP-UX event logging question..

SAM is a Graphical User Interface that supports it's own command set. This SAM command set is separate from HP-UX. For example, refer to :

# ll /usr/sam/lbin/usermod.sam
Support Fatherhood - Stop Family Law