Re: Logging and Auditing of a HP-UX box
- From: "a_monk" <dfox138@xxxxxxxxxxx>
- Date: 31 May 2006 04:55:56 -0700
You are the best !!!!
Many many thanks!
Matti Juhani Kurkela wrote:
"a_monk" <dfox138@xxxxxxxxxxx> writes:
Basically, I am a Windows guy and start learning Unix.
Would members of this group kindly tell me the auditing and logging
features/functions of HP-UX, what kind of logs are they (system,
application, security), methods to enable them, where are they stored
on the system?, etc.
There are two distinct logging systems on HP-UX: the
"Unix-traditional" syslog system and HP-UX specific audit log system.
You can expect the syslog system to be always enabled, but the audit
log system is not generally used unless there is a specific reason to
The location and content of the logs is administrator-definable, so I
will describe the factory default settings and the possibilities for
1.) the syslog system
This is based on a process named "syslogd", which is started early at
system boot. It will create a named pipe /dev/log and an UNIX domain
socket /dev/log.un, which other processes can use to send log messages
to syslog. It can also receive syslog messages from other hosts using
UDP network port 514.
(Most applications have no need to know about these details: there is
a standard library function "syslog()" which encapsulates all the
actions required to send a log message to the local syslogd for
further processing. There is also a "logger" command which can be used
to send a message to the syslog from a normal shell script.)
All syslog messages consist of a level identifier, a facility
identifier and some free-form text.
The level identifier is one of the following, in decreasing order of
emerg, alert, crit, err, warning, notice, info, debug
The facility identifier is one of the following, in no particular
kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron,
local0, local1, local2, local3, local4, local5, local6, local7
These identifiers can be used to select which messages get stored into
which logfile(s), displayed to the system console or to all users of
the system or sent to another server for non-local storage.
The syslogd process reads a configuration file /etc/syslog.conf, which
lists the log destinations (logfiles or remote syslog servers) and the
allowed level/facility combinations for each destination.
By default, HP-UX has a very limited set of syslog destinations:
there is only /var/adm/syslog/syslog.log for generic messages
(filtered so that only "significant" messages get stored) and a
special logfile /var/adm/syslog/mail.log for messages related to
email handling. In addition, there is a to send emergency
messages to all logged-in users and another that directs kernel
messages to the system console (where the administrator can presumably
2.) the audit log system
This can be configured using SAM, but there are also a slew of
commands (named aud*) to control the audit log system from the command
The audit log system is disabled by default. When it is enabled, it
can log detailed information of the user's actions (the names of files
read/written, the starting or stopping of processes and the like).
The full list of audit action categories is available by the command
"man 5 audit".
Because this system can easily create a huge amount of logging data if
misconfigured, you can choose which users' actions are audited. If a
server application provides a good level of logging by itself, it may
be useful to create an "application user" for the purpose of running
the application and disable or limit the audit logging for that user.
Usually, application-level logs are more "human-readable" than the
OS-level audit logs, simply because the application is more aware of
the purpose behind each OS-level action. A simple message like "user X
placed a new order of xxxx units of product yyy" is vastly more useful
than a long list of messages describing user X starting a program,
which then read a lot of files and then wrote into a few files.
The file /.secure/etc/audnames lists the names of the audit logfiles,
if the audit log system is enabled. The audit logfiles are in a binary
format: you must use the "audisp" command to view them.
- Re: Logging and Auditing of a HP-UX box
- From: a_monk
- Re: Logging and Auditing of a HP-UX box
- Prev by Date: Re: /etc/master.passwd: No such file or directory
- Next by Date: Re: /etc/master.passwd: No such file or directory
- Previous by thread: Re: Logging and Auditing of a HP-UX box
- Next by thread: Re: Logging and Auditing of a HP-UX box