1834149 Members
2267 Online
110064 Solutions
New Discussion

Re: log analysis

 
varian_1
Advisor

log analysis

Hi,

On my HP-UX server 6 months back I have changed few kernel parameters.
But now when I checked I found few parameters are changed again.
Shutdownlog shows system is rebooted thru sam nearly 3 months back.
Can any one tell me how to check the following thru system logs;
>> when & who has changed these kernel parametres.

Thanks in advance ....
Regards

Varian
4 REPLIES 4
Muthukumar_5
Honored Contributor

Re: log analysis

Are you having user history details? If the parameter is changed by command line using kmtune or kctune then, HISTFILE is only option.

By sam, then have to see sam log file.

-Muthu
Easy to suggest when don't know about the problem!
Warren_9
Honored Contributor

Re: log analysis

hi,

you've got the time of reboot, check the OLDsulog, OLDsyslog, last may give you some hint.

GOOD LUCK!!
Arunvijai_4
Honored Contributor

Re: log analysis

Check your log rotation policy and check /var/adm/syslog/ folder for OLDsyslog.log

There are changes of getting that file back and its depends on your admin policy of log rotate.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
Bill Hassell
Honored Contributor

Re: log analysis

It's fairly easy: only root can change the parameters and rebuild the kernel. Now if untrained people have the root password, or worse, you have created additional UID=0 user accounts, you will have to look at the .sh_history file for each root user. The last command and sulog will tell you when suspicious users login. If tghe user ran sam to change the parameters, you can look at sam logs but these logs will state what wa done and when--not the name of the root user running sam. It's also possible that during the last reboot, someone decided to use vmunix.prev for the kernel which is the previous kernel.

With this type of a mystery, I would assume that system security has been compromised, or at the very least, too many people have the root password or root access.


Bill Hassell, sysadmin