HPE Community
Operating System - HP-UX
1832907 Members
3841 Online
110048 Solutions
New Discussion

Re: syslog su messages

 
SOLVED
Go to solution
Devesh Pant_1
Esteemed Contributor

‎06-18-2005 05:40 PM

‎06-18-2005 05:40 PM

syslog su messages

I am seeing the following messages in my syslog and the syslogs are getting filled with these.
I know that using the syslog parser. I can prune it and I also have other means of extracting the relevant data from the syslog or stat logging su to a separate log file. But I want to understand why am I seeing these root is definitely not su ing to Oracle account. can this be from the Oracle OEM product? or the RAC? Any inputs will be valuable..
Thanks in advance.
Devesh
-------------------------------------
Jun 16 13:15:08 radprod su: + tty?? root-oracle
Jun 16 13:16:06 radprod above message repeats 37 times
Jun 16 13:16:08 radprod su: + tty?? root-oracle
Jun 16 13:35:17 radprod su: + tty?? root-oracle
Jun 16 13:36:06 radprod above message repeats 39 times
Jun 16 13:36:18 radprod su: + tty?? root-oracle
Jun 16 13:55:26 radprod su: + tty?? root-oracle
Jun 16 13:56:06 radprod above message repeats 39 times
0 Kudos
Reply
10 REPLIES 10
Sudeesh
Respected Contributor

‎06-18-2005 05:54 PM

‎06-18-2005 05:54 PM

Re: syslog su messages

Hi,
There is a good chance these su attempts are from a cron job as they are repeated every 20m Min. Check your scripts in cron and there logs (cron logs) for clarification.

In case a user is doing this (which I dont really think of!) you need to match the output of last command and syslog by time.

Hope this helps

Sudeesh




The most predictable thing in life is its unpredictability
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎06-18-2005 06:09 PM

‎06-18-2005 06:09 PM

Re: syslog su messages

Thats root su - to oracle.

most likely thats programmed into your cron log. At my last job we used that to fire up oracle reports and such.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎06-19-2005 03:21 PM

‎06-19-2005 03:21 PM

Re: syslog su messages

sulog tracks everything su does. The majority may not be from a user login but from special scripts, in cron or created by your database admins. If you are the administrator for this system, I would make it point to identify all scripts with this su. Apparently, the scripts are run by root (bad idea) and have the su inside the script.


Bill Hassell, sysadmin
0 Kudos
Reply
Devesh Pant_1
Esteemed Contributor

‎06-19-2005 03:53 PM

‎06-19-2005 03:53 PM

Re: syslog su messages

Well I am the admin of the system and there is nothing in roots cron that is su ing to oracle. I am not sure how and why Oracle cron would assume anything as root. I am going to aske the Oracle DBA on the server but it is so puzzling not to be able to figure out why root is su ing to oracle is shown
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎06-19-2005 06:34 PM

‎06-19-2005 06:34 PM

Re: syslog su messages

Rather than prune/process you syslog file, why not amend your syslog.conf to send auth messages to a separate file. This would make monitoring much easier.
0 Kudos
Reply
Kurt Boyack
Occasional Advisor

‎10-28-2005 08:53 AM

‎10-28-2005 08:53 AM

Re: syslog su messages


Did you ever figure out where these were coming from? I just discovered this myself and do not know what is causing them. Every Oracle database server that I have looked at does this regularly.
0 Kudos
Reply
Sandman!
Honored Contributor

‎10-28-2005 10:15 AM

‎10-28-2005 10:15 AM

Solution

Re: syslog su messages

Devesh,

We have similar logins at my site. I traced them a while back to the MC/SG installation. If you have MC/SG on your servers then that's a good starting point to look for those su logins. Especially the pkg control script which startups the HA applications.

The MC/SG pkg control script runs as root and is responsible for su'ing to the app id and either starting up or shutting down the associated application, one of them being Oracle...or...

You can simply search files for the "su -" pattern.

# find / -type f -exec grep -il "su -" {} \;

hope it helps!!!
Reply
Kurt Boyack
Occasional Advisor

‎10-28-2005 10:37 AM

‎10-28-2005 10:37 AM

Re: syslog su messages


We're not running ServiceGuard. I think the messages have something to do with backups.
0 Kudos
Reply
Sandman!
Honored Contributor

‎10-31-2005 06:14 AM

‎10-31-2005 06:14 AM

Re: syslog su messages

For Kurt:

Search for files owned by root that contain the su string...

# find / -type f -user root -exec grep -il "su -" {} \;
0 Kudos
Reply
Kurt Boyack
Occasional Advisor

‎10-31-2005 10:09 AM

‎10-31-2005 10:09 AM

Re: syslog su messages


It our case it turned out to be NetBackup running Oracle backup scripts.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.