1.2) It appears that someone may have set up something like 'logrotate' to do a daily log rotation.

Check your root cron jobs for something like 'logrotate'. If it is there then you can look at the logrotate script and configuration files to determine what it is doing.

>>1.1)When (how many days once) the log are being transfered from syslog.log to OLDsyslog?<<

As per normal behaviour it doesn't goes by days, when ever syslogd demons has been restarted either by reboot or syslod deamon restarted it will automatically rename or move existing syslog.log to OLDsyslog.log and new "syslog.log" has been created.

>>1.2)How to find that why the OLDsyslog.log has no entries, and instead how the six syslog.log files are available?<<<

This realy depends on scripts which in the server which is creating "Six....etc. syslog"

HTH,

Johnson

Duplicate Thread, Please close it*& Continue with Original one.

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1412369

Hi senthil

when ever the syslogd daemon are restarted ,, due to reboot or shutdown u will have oldsyslog.log...

if u have any test servers try to see the difference by rebooting or stopping syslogd daemon,,, but both entries will be in syslog.


regards

MC

Hi All,

I have found following entries in /etc/syslog.conf file.

#############################################
mail.debug /var/adm/syslog/mail_log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
mail.alert /var/adm/syslog/mail_log
mark.debug /var/adm/syslog/mark_log
kern.info /var/adm/syslog/kern_log
user.info /var/adm/syslog/user_log
daemon.alert /var/adm/syslog/daemon_log
auth.info /var/adm/syslog/auth_log
lpr.info /var/adm/syslog/lpr_log
security.info /var/adm/syslog/security_log

#############################################


Could you please explain the purpose of each line in detail?

This has nothing to do with your original question.

However, 'man syslogd' should answer your questions.

Hi All,

I have learned some information about syslog.

The syslogd command reads and logs messages into a set of files described by the configuration file /etc/syslog.conf.

Normally only the log files available in /var/adm/syslog directory are configure in /etc/syslog.conf.

So if we stop the syslog daemon the log files available in /var/adm/syslog will not get updated. But all other logs (cron , sulog, automount log) will get updated, am i correct?

>>>So if we stop the syslog daemon the log files available in /var/adm/syslog will not get updated. But all other logs (cron , sulog, automount log) will get updated, am i correct?<<

NO

syslog.log -> (for system related logs,but some normal entry will added for daemons like,crond,inetd,ftpd,automout...etc) but in details logging are printed for cron,su,automount, see below locattions).

cron log -> ( /var/adm/cron/log -> crontab

su log -> switch user logs (/var/adm/sulog)

automount log -> /var/adm/automount.log

so in-short all (cron,su,automount) have there own logging file,

so if restart "syslogd" you can see OLDSyslog.log & syslog.log will only updated not others.

HTH,

Regards,
Johnson

In man page I have found below mentioned.

# man syslogd

The syslogd command reads and logs messages into a set of files described by the configuration file /etc/syslog.conf.


Normally we have not configured any entries to log the activities of cron , sulog , wtmp and automount.log in /etc/syslog.conf.

1)so that, will it prevent from logging the activities of cron , sulog , wtmp and automount.log in to their respective log files?

2)If yes, why the files are not created like OLDcron.log, OLDautomout.log while restarting syslog?

3)If no, will no logs be created (syslog, cron , sulog, wtmp and etc.,) if we have stopped syslog?

>>>2)If yes, why the files are not created like OLDcron.log, OLDautomout.log while restarting syslog? <<

becoz when you restart the "sylogd" as below, it will only created for OLDSyslog.log also syslogd -> dameons which writes its own information to "syslog.log" file, it should not write to OLDcron,OLDautomout.log

/sbin/init.d/syslogd stop
/sbin/init.d/syslogd start

Hope you can test above in any of your test servers. to clear doubts :)

Also you can refer to your posting

>>>I have found following entries in /etc/syslog.conf file.

#############################################
mail.debug /var/adm/syslog/mail_log
*.info;mail.none /var/adm/syslog/syslog.log

look at the syslog.conf file -> pointing to /var/adm/syslog/syslog.log

mail -> pointing to /var/adm/syslog/mail.log

Hi All,

I have tested in my test server.

I would like to know whether the logs for cron , sulog, wtmp, automount.log will be created while syslogd is down.

So firs I have down the syslogd.

# /sbin/init.d/syslogd stop
syslogd stopped


After that no logs are created with in /var/adm/syslog/syslog.log but at the same time logs are being created in /var/adm/cron/log , /var/adm/sulog and /var/adm/wtmp.

So I come to conclusion that if we have stop the syslogd then it will not create any logs to the files available under /var/adm/syslog (all the files configured in /etc/syslog.conf) but at the same time other logs (cron, sulog, wtmp) will be created. am i correct because i want to double check with you?

Shalom,

No logs configured in syslog.conf will write when the syslogd daemon is down.

The data may be queued, you will have to test that.

But syslogd daemon is something you want up and running all the time.

SEP

Hi

All the activities of starting and stopping the services (like nfs.server and nfs.client) will be in to which file because just for testing i have stopped and started again nfs.server and nfs.client but no logs are created for this activity in /var/adm/syslog/syslog.log?

Could you please clarify me about what are the service will be logged while start and stop and which file?

Shalom,

All the activities of starting and stopping the services (like nfs.server and nfs.client) will be in to which file because just for testing i have stopped and started again nfs.server and nfs.client but no logs are created for this activity in /var/adm/syslog/syslog.log?
>>>
All services configured to be logged in syslog will be logged with start and stop messages. But it depends how the service is configured where and how they log. apache is not going to log in syslog at all. It has its own log.

This varies application to application.
>>>>

Could you please clarify me about what are the service will be logged while start and stop and which file?

How the service will be logged depends on two factors:

1) syslog.conf configuration.
2) How the service is written. NFS does log to syslog.

SEP

which one is correct?

1)wtmp or wtmps

2)btmp or btmps

which one is correct?

1)wtmp or wtmps

2)btmp or btmps

Since my HP-UX server is having both wtmp & wtmps and btmp & btmps.

Hi:

> which one is correct? 1)wtmp or wtmps 2)btmp or btmps

If you have the "*s" named file on your server you're running 11.23 or later and that's the file that you want to analyze.

Regards!

...JRF...

Shalom again,

Just checked an 11.31 system.

They have both files but one one is active.

root@mngp01:/var/adm # ll wtmp*
-rw-rw-r-- 1 adm adm 11400 Feb 3 16:23 wtmp
-rw-rw-r-- 1 adm adm 144744 Mar 11 13:06 wtmps
-rw-r--r-- 1 root sys 280 Jan 8 16:50 wtmpx
root@mngp01:/var/adm # ll btmp*
-rw------- 1 root other 0 Mar 8 2009 btmp
-rw------- 1 root other 11084 Feb 25 17:04 btmps


The btmp on this file is zero bytes because almost nobody logs into it.

See the dates for which file is active.

Your mileage may vary on earlier releases of HP-UX.

SEP

It will help to understand that syslogd is NOT the only tool that creates logs. cron and su and so on are processes that write their own logs -- they do not use the syslog facility at all. To see how many logs are kept by individual processes, look at /var/adm as in:

ll /var/adm/*.log

These files are not part of a standard syslog setup. What happens in syslog.log is controlled completely by the /etc/syslog.conf file. The facilities and levels of reporting are defined in that file.

There is nothing in standard HP-UX that will rotate the logs except a reboot (or more accurately, running the startup script

/sbin/init.d/syslog start

will move the current lof to OLDsyslog.log and start a new syslog.log.

As mentioned above, the other copies of syslog.log have been created by a custom script or program byu the previous administrator. Based on the time stamps, this is done at 1 minute after midnight so you'll likely find a script or program running at midnight that performs this task.

Also based on the files you see, the script has an error: in November, it rotated the logs and compressed them (*.gz) but in February and March, it did not compress them. So the script needs repair.

Also, your syslog.conf file creates a duplicate entry in syslog.log and each of these facility logs:

mark, kern, user, daemon, auth, lpr, security

And there is no security facility (see man 3c syslog). I think what you want is to remove noisy messages from syslog and move them to separate logs, like this:


# Use only tabs, not spaces
#
*.info;mail.none;local5.none;auth.none;user.none;lpr.none;daemon.notice;kern.notice /var/adm/syslog/syslog.log
#
mail.debug /var/adm/syslog/mail.log
local5.info /var/adm/syslog/ftpd.log
auth.info /var/adm/syslog/auth.log
daemon.info /var/adm/syslog/daemon.log
kern.info /var/adm/syslog/kern.log
lpr.info /var/adm/syslog/lpr.log
#
*.alert /dev/console
*.alert root
*.emerg *

I have rearranged the lines to make it a bit more readable. The first line states what will (and will not) go into syslog.log. So it says that:

-- All messages with info level or higher
-- No messages from mail, local, auth, user or local5
-- daemon and kern messages at notice level and higher

Then, each of next lines are facilities that are logged into different files. local5 is for ftp messages from ftpd.

The last 3 lines state that alert (and higher) are sent to /dev/console and all logged in root users, while emerg level messages are sent to all logged in users.

NOTE: The syslog.conf file is the only file in Unix that does not work with spaces!! Any line with a space anywhere on the line becomes a comment, so the file must look like this when you use cat -tv:

# cat -tv /etc/syslog.conf
*.info;mail.none;local5.none;auth.none;user.none;lpr.none;kern.notice;daemon.notice^I/var/adm/syslog/syslog.log

mail.debug^I/var/adm/syslog/mail.log
local5.info^I/var/adm/syslog/ftpd.log
auth.info^I/var/adm/syslog/auth.log
lpr.info^I/var/adm/syslog/lpr.log
user.info^I/var/adm/syslog/user.log
kern.info^I/var/adm/syslog/kern.log
daemon.info^I/var/adm/syslog/daemon.log

*.alert^I^I/dev/console
*.alert^I^Iroot
*.emerg^I^I*

The ^I is the tab character. If any line has a space, the entire line is silently ignored.
When you edit this file, use the vi command :set list to see the tabs as ^I.

One other change is for NTP (Network Time Protocol). The default is to log to syslog but it doesn't have its own facility name, so I change /etc/rc.config.d/netdaemons to start xntpd with the option: -l /var/adm/ntp.log:

export NTPDATE_SERVER=us.pool.ntp.org
export XNTPD=1
export XNTPD_ARGS="-l /var/adm/ntp.log"

Shalom,

I take issue with a few things:

I am new to HP-UX.

You really aren't so new any more. You have been posting questions here for quite some months. I assume the solutions you are getting are sticking and effective or you would not come back.

Logrotate is available for HP-UX. It is very old and cranky and does not do a terrific job.

Your system has the looks of having logroate run on it, which can be done with the depot or a series of scripts home grown.

Looks like a bit of hacking was done on the standard syslog configuration as well. Look there and you will find variances with other hpux systems you have available to you.

SEP

where do we find oldsyslog.log

in /var/adm/syslog