Log management in HP-UX

senthil_kumar_1 · ‎03-09-2010

Hi All,

I am new to HP-UX.

I would like to know the log management in HP-UX.

I know followings about log management.

1)About Syslog:

There is two log files are available for syslog.

i)OLDsyslog.log
ii)syslog.log

Syslog.log is current file and OLDsyslog.log is old file.

Now I have some questions on syslog:

1.1)When (how many days once) the log are being transfered from syslog.log to OLDsyslog?

1.2)On of my HP-UX server (HP-UX 11.11) has no data with in OLDsyslog.log, example:

# ll OLDsyslog.log
-rw-r--r-- 1 root sys 0 Mar 4 00:01 OLDsyslog.log

But it has six syslog files, I think log rotation has been done, but I dont know how they (pervious unix admin) done this.

Example:

-rw-r--r-- 1 root sys 1119967 Mar 4 08:29 syslog.log
-rw-r--r-- 1 root sys 3222700 Mar 4 00:01 syslog.log.1
-rw-r--r-- 1 root sys 89506 Aug 7 2008 syslog.log.1.orig.gz
-rw-r--r-- 1 root sys 4168313 Mar 3 00:01 syslog.log.2
-rw-r--r-- 1 root sys 105763 Nov 22 10:30 syslog.log.2.gz
-rw-r--r-- 1 root sys 3989978 Mar 2 00:01 syslog.log.3
-rw-r--r-- 1 root sys 238659 Nov 22 00:01 syslog.log.3.gz
-rw-r--r-- 1 root sys 3092849 Mar 1 00:01 syslog.log.4
-rw-r--r-- 1 root sys 247459 Nov 21 00:01 syslog.log.4.gz
-rw-r--r-- 1 root sys 2993922 Feb 28 00:01 syslog.log.5
-rw-r--r-- 1 root sys 229038 Nov 20 00:01 syslog.log.5.gz
-rw-r--r-- 1 root sys 3373747 Feb 27 00:01 syslog.log.6
-rw-r--r-- 1 root sys 251639 Nov 19 00:01 syslog.log.6.gz

How to find that why the OLDsyslog.log has no entries, and instead how the six syslog.log files are available?

So I have two questions:

1.1)When (how many days once) the log are being transfered from syslog.log to OLDsyslog?

1.2)How to find that why the OLDsyslog.log has no entries, and instead how the six syslog.log files are available?

Torsten. · ‎03-09-2010

syslog will be moved to OLDsyslog after a reboot. Everything else is not standard, but customized by user scripts.

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Patrick Wallek · ‎03-09-2010

1.2) It appears that someone may have set up something like 'logrotate' to do a daily log rotation.

Check your root cron jobs for something like 'logrotate'. If it is there then you can look at the logrotate script and configuration files to determine what it is doing.

Johnson Punniyalingam · ‎03-09-2010

>>1.1)When (how many days once) the log are being transfered from syslog.log to OLDsyslog?<<

As per normal behaviour it doesn't goes by days, when ever syslogd demons has been restarted either by reboot or syslod deamon restarted it will automatically rename or move existing syslog.log to OLDsyslog.log and new "syslog.log" has been created.

>>1.2)How to find that why the OLDsyslog.log has no entries, and instead how the six syslog.log files are available?<<<

This realy depends on scripts which in the server which is creating "Six....etc. syslog"

HTH,

Johnson

Problems are common to all, but attitude makes the difference

Johnson Punniyalingam · ‎03-09-2010

Duplicate Thread, Please close it*& Continue with Original one.

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1412369

Problems are common to all, but attitude makes the difference

madhuchakkaravarthy · ‎03-09-2010

Hi senthil

when ever the syslogd daemon are restarted ,, due to reboot or shutdown u will have oldsyslog.log...

if u have any test servers try to see the difference by rebooting or stopping syslogd daemon,,, but both entries will be in syslog.

regards

MC

senthil_kumar_1 · ‎03-10-2010

Hi All,

I have found following entries in /etc/syslog.conf file.

#############################################
mail.debug /var/adm/syslog/mail_log
*.info;mail.none /var/adm/syslog/syslog.log
*.alert /dev/console
*.alert root
*.emerg *
mail.alert /var/adm/syslog/mail_log
mark.debug /var/adm/syslog/mark_log
kern.info /var/adm/syslog/kern_log
user.info /var/adm/syslog/user_log
daemon.alert /var/adm/syslog/daemon_log
auth.info /var/adm/syslog/auth_log
lpr.info /var/adm/syslog/lpr_log
security.info /var/adm/syslog/security_log

#############################################

Could you please explain the purpose of each line in detail?

Patrick Wallek · ‎03-10-2010

This has nothing to do with your original question.

However, 'man syslogd' should answer your questions.

senthil_kumar_1 · ‎03-11-2010

Hi All,

I have learned some information about syslog.

The syslogd command reads and logs messages into a set of files described by the configuration file /etc/syslog.conf.

Normally only the log files available in /var/adm/syslog directory are configure in /etc/syslog.conf.

So if we stop the syslog daemon the log files available in /var/adm/syslog will not get updated. But all other logs (cron , sulog, automount log) will get updated, am i correct?

Johnson Punniyalingam · ‎03-11-2010

>>>So if we stop the syslog daemon the log files available in /var/adm/syslog will not get updated. But all other logs (cron , sulog, automount log) will get updated, am i correct?<<

NO

syslog.log -> (for system related logs,but some normal entry will added for daemons like,crond,inetd,ftpd,automout...etc) but in details logging are printed for cron,su,automount, see below locattions).

cron log -> ( /var/adm/cron/log -> crontab

su log -> switch user logs (/var/adm/sulog)

automount log -> /var/adm/automount.log

so in-short all (cron,su,automount) have there own logging file,

so if restart "syslogd" you can see OLDSyslog.log & syslog.log will only updated not others.

HTH,

Regards,
Johnson

Problems are common to all, but attitude makes the difference

senthil_kumar_1 · ‎03-11-2010

In man page I have found below mentioned.

# man syslogd

The syslogd command reads and logs messages into a set of files described by the configuration file /etc/syslog.conf.

Normally we have not configured any entries to log the activities of cron , sulog , wtmp and automount.log in /etc/syslog.conf.

1)so that, will it prevent from logging the activities of cron , sulog , wtmp and automount.log in to their respective log files?

2)If yes, why the files are not created like OLDcron.log, OLDautomout.log while restarting syslog?

3)If no, will no logs be created (syslog, cron , sulog, wtmp and etc.,) if we have stopped syslog?

Johnson Punniyalingam · ‎03-11-2010

>>>2)If yes, why the files are not created like OLDcron.log, OLDautomout.log while restarting syslog? <<

becoz when you restart the "sylogd" as below, it will only created for OLDSyslog.log also syslogd -> dameons which writes its own information to "syslog.log" file, it should not write to OLDcron,OLDautomout.log

/sbin/init.d/syslogd stop
/sbin/init.d/syslogd start

Hope you can test above in any of your test servers. to clear doubts :)

Also you can refer to your posting

>>>I have found following entries in /etc/syslog.conf file.

#############################################
mail.debug /var/adm/syslog/mail_log
*.info;mail.none /var/adm/syslog/syslog.log

look at the syslog.conf file -> pointing to /var/adm/syslog/syslog.log

mail -> pointing to /var/adm/syslog/mail.log

Problems are common to all, but attitude makes the difference

senthil_kumar_1 · ‎03-11-2010

Hi All,

I have tested in my test server.

I would like to know whether the logs for cron , sulog, wtmp, automount.log will be created while syslogd is down.

So firs I have down the syslogd.

# /sbin/init.d/syslogd stop
syslogd stopped

After that no logs are created with in /var/adm/syslog/syslog.log but at the same time logs are being created in /var/adm/cron/log , /var/adm/sulog and /var/adm/wtmp.

So I come to conclusion that if we have stop the syslogd then it will not create any logs to the files available under /var/adm/syslog (all the files configured in /etc/syslog.conf) but at the same time other logs (cron, sulog, wtmp) will be created. am i correct because i want to double check with you?

Steven E. Protter · ‎03-11-2010

Shalom,

No logs configured in syslog.conf will write when the syslogd daemon is down.

The data may be queued, you will have to test that.

But syslogd daemon is something you want up and running all the time.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

senthil_kumar_1 · ‎03-11-2010

Hi

All the activities of starting and stopping the services (like nfs.server and nfs.client) will be in to which file because just for testing i have stopped and started again nfs.server and nfs.client but no logs are created for this activity in /var/adm/syslog/syslog.log?

Could you please clarify me about what are the service will be logged while start and stop and which file?

Steven E. Protter · ‎03-11-2010

Shalom,

All the activities of starting and stopping the services (like nfs.server and nfs.client) will be in to which file because just for testing i have stopped and started again nfs.server and nfs.client but no logs are created for this activity in /var/adm/syslog/syslog.log?
>>>
All services configured to be logged in syslog will be logged with start and stop messages. But it depends how the service is configured where and how they log. apache is not going to log in syslog at all. It has its own log.

This varies application to application.
>>>>

Could you please clarify me about what are the service will be logged while start and stop and which file?

How the service will be logged depends on two factors:

1) syslog.conf configuration.
2) How the service is written. NFS does log to syslog.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

senthil_kumar_1 · ‎03-11-2010

which one is correct?

1)wtmp or wtmps

2)btmp or btmps

senthil_kumar_1 · ‎03-11-2010

which one is correct?

1)wtmp or wtmps

2)btmp or btmps

Since my HP-UX server is having both wtmp & wtmps and btmp & btmps.

James R. Ferguson · ‎03-11-2010

Hi:

> which one is correct? 1)wtmp or wtmps 2)btmp or btmps

If you have the "*s" named file on your server you're running 11.23 or later and that's the file that you want to analyze.

Regards!

...JRF...

Steven E. Protter · ‎03-11-2010

Shalom again,

Just checked an 11.31 system.

They have both files but one one is active.

root@mngp01:/var/adm # ll wtmp*
-rw-rw-r-- 1 adm adm 11400 Feb 3 16:23 wtmp
-rw-rw-r-- 1 adm adm 144744 Mar 11 13:06 wtmps
-rw-r--r-- 1 root sys 280 Jan 8 16:50 wtmpx
root@mngp01:/var/adm # ll btmp*
-rw------- 1 root other 0 Mar 8 2009 btmp
-rw------- 1 root other 11084 Feb 25 17:04 btmps

The btmp on this file is zero bytes because almost nobody logs into it.

See the dates for which file is active.

Your mileage may vary on earlier releases of HP-UX.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Bill Hassell · ‎04-15-2010

It will help to understand that syslogd is NOT the only tool that creates logs. cron and su and so on are processes that write their own logs -- they do not use the syslog facility at all. To see how many logs are kept by individual processes, look at /var/adm as in:

ll /var/adm/*.log

These files are not part of a standard syslog setup. What happens in syslog.log is controlled completely by the /etc/syslog.conf file. The facilities and levels of reporting are defined in that file.

There is nothing in standard HP-UX that will rotate the logs except a reboot (or more accurately, running the startup script

/sbin/init.d/syslog start

will move the current lof to OLDsyslog.log and start a new syslog.log.

As mentioned above, the other copies of syslog.log have been created by a custom script or program byu the previous administrator. Based on the time stamps, this is done at 1 minute after midnight so you'll likely find a script or program running at midnight that performs this task.

Also based on the files you see, the script has an error: in November, it rotated the logs and compressed them (*.gz) but in February and March, it did not compress them. So the script needs repair.

Also, your syslog.conf file creates a duplicate entry in syslog.log and each of these facility logs:

mark, kern, user, daemon, auth, lpr, security

And there is no security facility (see man 3c syslog). I think what you want is to remove noisy messages from syslog and move them to separate logs, like this:

# Use only tabs, not spaces
#
*.info;mail.none;local5.none;auth.none;user.none;lpr.none;daemon.notice;kern.notice /var/adm/syslog/syslog.log
#
mail.debug /var/adm/syslog/mail.log
local5.info /var/adm/syslog/ftpd.log
auth.info /var/adm/syslog/auth.log
daemon.info /var/adm/syslog/daemon.log
kern.info /var/adm/syslog/kern.log
lpr.info /var/adm/syslog/lpr.log
#
*.alert /dev/console
*.alert root
*.emerg *

I have rearranged the lines to make it a bit more readable. The first line states what will (and will not) go into syslog.log. So it says that:

-- All messages with info level or higher
-- No messages from mail, local, auth, user or local5
-- daemon and kern messages at notice level and higher

Then, each of next lines are facilities that are logged into different files. local5 is for ftp messages from ftpd.

The last 3 lines state that alert (and higher) are sent to /dev/console and all logged in root users, while emerg level messages are sent to all logged in users.

NOTE: The syslog.conf file is the only file in Unix that does not work with spaces!! Any line with a space anywhere on the line becomes a comment, so the file must look like this when you use cat -tv:

# cat -tv /etc/syslog.conf
*.info;mail.none;local5.none;auth.none;user.none;lpr.none;kern.notice;daemon.notice^I/var/adm/syslog/syslog.log

mail.debug^I/var/adm/syslog/mail.log
local5.info^I/var/adm/syslog/ftpd.log
auth.info^I/var/adm/syslog/auth.log
lpr.info^I/var/adm/syslog/lpr.log
user.info^I/var/adm/syslog/user.log
kern.info^I/var/adm/syslog/kern.log
daemon.info^I/var/adm/syslog/daemon.log

*.alert^I^I/dev/console
*.alert^I^Iroot
*.emerg^I^I*

The ^I is the tab character. If any line has a space, the entire line is silently ignored.
When you edit this file, use the vi command :set list to see the tabs as ^I.

One other change is for NTP (Network Time Protocol). The default is to log to syslog but it doesn't have its own facility name, so I change /etc/rc.config.d/netdaemons to start xntpd with the option: -l /var/adm/ntp.log:

export NTPDATE_SERVER=us.pool.ntp.org
export XNTPD=1
export XNTPD_ARGS="-l /var/adm/ntp.log"

Bill Hassell, sysadmin

Steven E. Protter · ‎04-15-2010

Shalom,

I take issue with a few things:

I am new to HP-UX.

You really aren't so new any more. You have been posting questions here for quite some months. I assume the solutions you are getting are sticking and effective or you would not come back.

Logrotate is available for HP-UX. It is very old and cranky and does not do a terrific job.

Your system has the looks of having logroate run on it, which can be done with the depot or a series of scripts home grown.

Looks like a bit of hacking was done on the standard syslog configuration as well. Look there and you will find variances with other hpux systems you have available to you.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

lakshk · ‎07-15-2014

where do we find oldsyslog.log

Torsten. · ‎07-15-2014

in /var/adm/syslog

Hope this helps!
Regards
Torsten.

__________________________________________________
There are only 10 types of people in the world -
those who understand binary, and those who don't.
__________________________________________________
No support by private messages. Please ask the forum!

If you feel this was helpful please click the KUDOS! thumb below!

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Log management in HP-UX

Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX

Re: Log management in HP-UX