HPE Community
Operating System - HP-UX
1836747 Members
2877 Online
110109 Solutions
New Discussion

Re: log analysis

 
varian_1
Advisor

‎11-03-2005 07:52 PM

‎11-03-2005 07:52 PM

log analysis

Hi,

On my HP-UX server 6 months back I have changed few kernel parameters.
But now when I checked I found few parameters are changed again.
Shutdownlog shows system is rebooted thru sam nearly 3 months back.
Can any one tell me how to check the following thru system logs;
>> when & who has changed these kernel parametres.

Thanks in advance ....
Regards

Varian
0 Kudos
Reply
4 REPLIES 4
Muthukumar_5
Honored Contributor

‎11-03-2005 07:56 PM

‎11-03-2005 07:56 PM

Re: log analysis

Are you having user history details? If the parameter is changed by command line using kmtune or kctune then, HISTFILE is only option.

By sam, then have to see sam log file.

-Muthu
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Warren_9
Honored Contributor

‎11-03-2005 08:38 PM

‎11-03-2005 08:38 PM

Re: log analysis

hi,

you've got the time of reboot, check the OLDsulog, OLDsyslog, last may give you some hint.

GOOD LUCK!!
0 Kudos
Reply
Arunvijai_4
Honored Contributor

‎11-03-2005 08:48 PM

‎11-03-2005 08:48 PM

Re: log analysis

Check your log rotation policy and check /var/adm/syslog/ folder for OLDsyslog.log

There are changes of getting that file back and its depends on your admin policy of log rotate.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-04-2005 01:34 AM

‎11-04-2005 01:34 AM

Re: log analysis

It's fairly easy: only root can change the parameters and rebuild the kernel. Now if untrained people have the root password, or worse, you have created additional UID=0 user accounts, you will have to look at the .sh_history file for each root user. The last command and sulog will tell you when suspicious users login. If tghe user ran sam to change the parameters, you can look at sam logs but these logs will state what wa done and when--not the name of the root user running sam. It's also possible that during the last reboot, someone decided to use vmunix.prev for the kernel which is the previous kernel.

With this type of a mystery, I would assume that system security has been compromised, or at the very least, too many people have the root password or root access.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.