HPE Community
Operating System - HP-UX
1833606 Members
3249 Online
110062 Solutions
New Discussion

syslog logging

 
SOLVED
Go to solution
Peter Gillis
Super Advisor

‎11-14-2006 11:07 AM

‎11-14-2006 11:07 AM

syslog logging

Hi , hp ux 11.11.v1
I have added command to /etc/profile that sends logging information - ie logname, hostname, tty, userid - to syslog.log file. Rather than having this info ending up in the syslog I would like it to go to an alternate log in /var/adm/syslog dir.
Thought I might be able to do this with configutation in the /etc/syslog.conf file. How do I find out the facility and level of the selector so I can code the syslog.conf file correctly?
I have attemtped to do this in the past and failed. eg.....
lpr.info /var/adm/syslog/lpd.log
Produces nothing in the lpd.log file.
Any suggestions / help would be most appreciated.
thanks
Maria

0 Kudos
Reply
5 REPLIES 5
Bill Hassell
Honored Contributor

‎11-14-2006 11:33 AM

‎11-14-2006 11:33 AM

Re: syslog logging

It's a bit of a mystery because most programs fail to document the 'facility' and level. The easiest way to find these two items is to change syslogd's startup options to include -v. Edit the file /etc/rc.config.d/syslogd and add the -v option to the variable SYSLOGD_OPTS:

SYSLOGD_OPTS="-D -v"

Now kill and restart syslogd (kill -15) manually with the new option. Now you'll see a 2 char code which identifies the facility and level. To decode the characters, use the man page:

man 3c syslog

(or use the attached script) An example of an undocumented syslog entry is ftpd: it uses local5 so syslog needs a line for the log:

local5.info /var/adm/syslog/ftp.log

BUT: you must delete local5 from syslog.log because everything goes in there except mail. It would look like this:

*.info;mail.none;local5.none /var/adm/syslog/syslog.log

Breaking down the cryptic codes:
*.info = everything at info level or higher
mail.none = except mail
local5.none = except local5
/var....syslog.log = the destination. It's important to understand that every line in syslog is processed for every message. Putting a facility into another file does not remove it from syslog unless you use the .none level.

Now are you using logger to send the data in /etc/profile to syslog? logger allows you to specify any facility and level. You could use one of the local facilities to send the /etc/profile details like this:

logger -p local6:info "$LOGNAME $(hostname) $(tty) $(id)"

and in syslog.conf:

mail.debug /var/adm/syslog/mail.log
*.info;mail.none;local5.none;local6.none
/var/adm/syslog/syslog.log
mail.debug /var/adm/syslog/mail.log
local6.info /var/adm/syslog/etcprofile.log



Bill Hassell, sysadmin
Reply
Peter Gillis
Super Advisor

‎11-14-2006 11:52 AM

‎11-14-2006 11:52 AM

Re: syslog logging

Thanks for the info Bill. I am going to give it a go now. Yes I am using logger in the /etc/profile file. (It is actually a suggested command from you that I have added into the /etc/profile and it has been working fine and kept mgmgt at bay! )
thankyou.
Maria
0 Kudos
Reply
Peter Gillis
Super Advisor

‎11-14-2006 04:34 PM

‎11-14-2006 04:34 PM

Re: syslog logging

Hi Bill,
I have edited /etc/rc.config.d/syslogd as -
#
SYSLOGD_OPTS="-D -v"

I issued cmd -
kill -HUP `cat /var/run/syslog.pid`
The syslog log shows message: syslogd restart.

I have run decoder on two different log files and both give me -
# /home/au025797/syslogdecoder /var/adm/syslog/ucon.log

No facility/priority codes found in /var/adm/syslog/ucon.log
Restart syslogd with the -v option to enable codes

/var/adm/syslog/ucon.log has 173 lines


I not sure what I have missed. Can you give me some clues on this..

we are running HPux 11.11 v1, on RP2470

thanks
Maria
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎11-15-2006 07:10 AM

‎11-15-2006 07:10 AM

Solution

Re: syslog logging

The kill -HUP for syslogd just re-reads the syslog.conf file. The options "-D -v" are just for reboot so they will always remain. You have to actually kill syslogd and manually start it by just typing:

syslogd -D -v

Now you can accomplish the same thing with:

/sbin/init.d/syslogd stop
/sbin/init.d/syslogd start

but the start script will also rotate the syslog.log file, something you may not want. Once syslogd is running with -v you'll see the extra 2-letter code added to each log file listed in /etc/syslog.conf.


Bill Hassell, sysadmin
Reply
Peter Gillis
Super Advisor

‎11-15-2006 08:49 AM

‎11-15-2006 08:49 AM

Re: syslog logging

Bill,
Thanks heaps for your help and your easy to understand explanations.
I understand where I was going wrong (not thinking properly) and have implemented the -v option on logging, run the decoder script and it is supplying me all the information I require. Absolutley invaluable - thanks.
Maria
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.