HPE Community
Operating System - HP-UX
1834009 Members
2044 Online
110063 Solutions
New Discussion

HP-UX event logging question..

 
SOLVED
Go to solution
Mark Stewart
Frequent Advisor

‎10-20-2003 08:43 AM

‎10-20-2003 08:43 AM

HP-UX event logging question..

I currently use the event logging feature that can be turned on in SAM(and using SAM to view the logs) for some added security on my workstations. My question is this, there appears to be a lot of "Close" failures(I audit failures of this, as well as success and failures of "Open") when no one is logged into the machine. In the logs, it lists the username as "????????".

Anybody have any explanation of why this is happening or what it might be? Thanks!
0 Kudos
Reply
8 REPLIES 8
Michael Steele_2
Honored Contributor

‎10-20-2003 09:00 AM

‎10-20-2003 09:00 AM

Re: HP-UX event logging question..

/etc/wtmp and /etc/utmp are probably corrupt. This will happen within 12 months: No year digit in the time stamp. Test with:

# last account
# lastb account
# finger account

Clean in SAM > routine task, or,

# cat /dev/null > /etc/wtmp, etc.
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Mark Stewart
Frequent Advisor

‎10-21-2003 03:24 AM

‎10-21-2003 03:24 AM

Re: HP-UX event logging question..

i did as you said, cat-ing the files and it appears to have had no effect.. any other suggestions.. What exactly were you talking about, when you mentioned doing it with SAM?
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎10-21-2003 04:57 AM

‎10-21-2003 04:57 AM

Re: HP-UX event logging question..

What about :

# cat /dev/null > /etc/utmp?
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-21-2003 05:00 AM

‎10-21-2003 05:00 AM

Re: HP-UX event logging question..

Sam has a routine tasks feature that lets you trim down certain logs.

Its a good idea to trim btmp and wtmp to zero once in a while.

I do it via script, once a week.

> /var/adm/syslog/btmp
> /var/adm/syslog/wtmp

This clears any corruption that may have occurred in these files. It also keeps them from getting to big.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Mark Stewart
Frequent Advisor

‎10-21-2003 05:03 AM

‎10-21-2003 05:03 AM

Re: HP-UX event logging question..

yeah, i did it to both of the files and it didn't stop the weird close events from being logged overnight last night..

any other possibilities?
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎10-21-2003 05:34 AM

‎10-21-2003 05:34 AM

Solution

Re: HP-UX event logging question..

I don't reccommend SAM for a couple of reasons and you may be hitting one, and that is patching. SAM needs lots of patching. Maybe 64.

Follow this navigation and try:

maintenance and support for HP products > individual patches > HP-UX > version > SAM
Support Fatherhood - Stop Family Law
Reply
Mark Stewart
Frequent Advisor

‎10-21-2003 08:04 AM

‎10-21-2003 08:04 AM

Re: HP-UX event logging question..

I'm using SAM to do the logging setup, but is that actually handled by the SAM tool? I would think it was done externally to that.. But I could be totally off on thinking that. I really don't have any other options for the security related logging I have to do.

I did the commands to reset/zero the two files from the command prompt though..
0 Kudos
Reply
Michael Steele_2
Honored Contributor

‎10-21-2003 09:27 AM

‎10-21-2003 09:27 AM

Re: HP-UX event logging question..

SAM is a Graphical User Interface that supports it's own command set. This SAM command set is separate from HP-UX. For example, refer to :

# ll /usr/sam/lbin/usermod.sam
Support Fatherhood - Stop Family Law
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.