1. Unity and Disunity of Unix Log File Management Tools
Dusan Baljevic
Sydney, Australia

2. Unix Log Files and Their Management Tools - Present
Most of the time, admins rely on Shell or Perl scripts
As well, find command is commonly used for cleanups
November 22, 2018
Webinar - Dusan Baljevic

3. Unix Log Files and Their Management Tools
Solaris logadm
Linux logrotate
AIX (built-in log file rotation and compression)
HP-UX (various tools)
November 22, 2018
Webinar - Dusan Baljevic

4. Webinar - Dusan Baljevic
AIX syslog
AIX has built-in log file rotation and compression. They are optional fields
Format
msg_src_list destination [rotate [size sizek|m] [files files] [time timeh|d|w|m|y] [compress] [archive archive]]
msg_src_list is a semicolon separated list of facility.priority
facility all (except mark) mark - time marks kern,user,mail,daemon, auth,...
priority is one of (from high to low): emerg/panic,alert,crit,err(or),warn(ing),notice,info,debug
(meaning all messages of this priority or higher)
destination is: /filename - log to this file username[,username2...] - write to user(s) @hostname - send to syslogd on this machine * - send to all logged in users
November 22, 2018
Webinar - Dusan Baljevic

5. AIX syslog Features (part 1/2)
If destination is a regular file and the word rotate is specified, then the destination is limited by either size or time, or both. The backup filenames are created by appending a period and a number to destination, starting with .0. The time value causes the destination to be rotated after time. If both time and size are specified, then logfiles will be rotated once the logfile size exceeds size or the after time, whichever is earlier
If the compress option is specified then the logfile names will be generated with a .Z extension. The files keyword will be applicable to the logfiles which are currently under rotation. For example, if we specify the compress option, then only file with .Z extension will be under rotation and the number of such files will be limited byfiles files. Any logfiles with an extension other than .Z will not be under the rotation scheme and thus will not be under the restriction of files files. Similarly if the compress option is removed then the files which have been generated with .Z extension will no longer be the part of rotation scheme and will not be limited by the files files
November 22, 2018
Webinar - Dusan Baljevic

6. AIX syslog Features (part 2/2)
The minimum size that can be specified is 10k. The minimum number of files that can be specified is 2. The default size is 1MB and the default for files is unlimited. Therefore, if only rotate is specified, the log will be rotated with size = 1m. The compress option means that rotated log files that are not in use will be compressed. The archive option will save rotated log files that are not in use to archive. The default is not to rotate log files
The letter indicating the unit must immediately follow the number in the syntax. For example, to specify the log rotation of every two days, the phrase time “2d” is correct, but “2 d” is not
November 22, 2018
Webinar - Dusan Baljevic

7. Webinar - Dusan Baljevic
AIX /etc/syslog.conf
Example /etc/syslog.conf
*.info /var/adm/syslog/syslog.log *.alert /var/adm/syslog/syslog.log *.notice /var/adm/syslog/syslog.log *.warning /var/adm/syslog/syslog.log *.err /var/adm/syslog/syslog.log *.crit /var/adm/syslog/syslog.log rotate time 1d files 9
daemon.debug /var/adm/ftpd.log rotate size 1024k files 5
November 22, 2018
Webinar - Dusan Baljevic

8. Webinar - Dusan Baljevic
Linux logrotate
It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large.
Normally, logrotate is run as a daily cron job. It will not modify a log multiple times in one day unless the formula for that log is based on the logs size and logrotate is being run multiple times each day, or unless the “-f” or “-force” option is used.
Cron job /etc/cron.daily/logrotate
#!/bin/sh /usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" fi
exit 0
November 22, 2018
Webinar - Dusan Baljevic

9. Linux /etc/logrotate.conf
weekly
rotate 4
create
dateext
include /etc/logrotate.d
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1 }
/var/log/btmp {
missingok
create 0600 root utmp
November 22, 2018
Webinar - Dusan Baljevic

10. Linux logrotate Command Usage
Usage: logrotate [OPTION...] <configfile>
-d, --debug Don't do anything, just test (implies -v)
-f, --force Force file rotation
-m, --mail=command Command to send mail (instead of `/bin/mail')
-s, --state=statefile Path of state file
-v, --verbose Display messages during rotation
Help options:
-?, --help Show this help message
--usage Display brief usage message
November 22, 2018
Webinar - Dusan Baljevic

11. Linux /etc/logrotate.d Directory
# ls /etc/logrotate.d
bittorrent fail2ban munin-node rpm
squid yum clamav-update httpd
nagios samba squidGuard zabbix
collectl mgetty named sa-update
syslog cups mimedefang ppp
setroubleshoot tux dirmngr munin
psacct snmpd wpa_supplicant
November 22, 2018
Webinar - Dusan Baljevic

12. Linux /etc/logrotate.d Example
# cat /etc/logrotate.d/httpd
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
postrotate
kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null \
|| true
endscript }
November 22, 2018
Webinar - Dusan Baljevic

13. Webinar - Dusan Baljevic
Solaris logadm
Starting from Solaris 9, there is a standard tool, called logadm, to rotate logs
logadm is an independent utility (unlike integrated in syslog daemon capability that can be found in AIX). The logadm command is a preconfigured entry in the default crontab file supplied starting with Solaris 9
/usr/lib/newsyslog script is no longer used
Before Solaris 9 there was FreeBSD-style tool newsyslog located in /usr/lib and Perl script rotatelog. It  was run from cron. For Solaris 8 and earlier download the tar.gz file, untar it, go in the new directory, and execute make install. It will install /usr/local/sbin/rotatelog and /usr/local/etc/rotatelog.conf
NAME
logadm - manage endlessly growing log files
SYNOPSIS
logadm [-options] logname...
DESCRIPTION
logadm is a general log rotation tool that is suitable for running from cron(1M).
Without arguments, logadm reads the /etc/logadm.conf file, and, for every entry found in that file, checks the
corresponding log file to see if it should be rotated. Typically this check is done each morning by an entry in the
root's crontab(1).
If the logname argument is specified, logadm renames the corresponding log file by adding a suffix so that the most
recent log file ends with .0 (that is, logfile.0), the next most recent ends with .1 (that is, logfile.1), and so forth.
By default, ten versions of old log files are kept (that is, logfile.0 through logfile.9). At the point when what would
be the eleventh file is logged,logadm automatically deletes the oldest version to keep the count of files at ten.
logadm takes a number of options. You can specify these options on the command line or in the /etc/logadm.conf file.
The logadm command searches /etc/logadm.conf for lines of the form logname options
logname Identifies an entry in
/etc/logadm.conf. This can be a
name or the pathname of the log
file. If you specify a log file,
rather than a name, for this
field, it must be a fully quali-
fied pathname.
options Identifies command line options
exactly as they would be entered
on the command line. This allows
commonly used log rotation poli-
cies to be stored in the
/etc/logadm.conf file. See EXAMPLES.
If options are specified both in
/etc/logadm.conf and on the com-
mand line, those in the
/etc/logadm.conf file are
applied first. Therefore, the
command line options override
those in /etc/logadm.conf.
Log file names specified in
/etc/logadm.conf can contain
filename substitution characters
such as * and ?, that are sup-
ported by csh(1).
Two options control when a log file is rotated. They are: -s size -p period.
When using more than one of these options at a time, there is an implied and between them. This means that all conditions
must be met before the log is rotated.
If neither of these two options are specified, the default conditions for rotating a log file are: -s 1b -p 1w, which
means the log file is only rotated if the size is non-zero and if at least 1 week has passed since the last time it was
rotated.
By specifying -p never as a rotation condition, any other rotation conditions are ignored and logadm moves on to the
expiration of old log files. By specifying -p now as a rotation condition, a log rotation is forced.
Unless specified by the -o, -g, or -m options, logadm replaces the log file (after renaming it) by creating an
empty file whose owner, group ID, and permissions match the original file.
Three options control when old log files are expired: -A age -C count -Ssize. These options expire the oldest log files
until a particular condition or conditions are met. For example, the combination -C 5 and the -S 10m options expires
old log files until there are no more than 5 of the and their combined disk usage is no more than 10 megabytes. If
none of these options are specified, the default expiration s -C 10 which keeps ten old log files. If no files are to be
expired, use -C 0 to prevent expiration by default.
OPTIONS
The following options are supported:
-a post_command Execute the post_command after renaming
the log file. post_command is passed to sh -c.
Specify post_command as a valid shell
command. Use quotes to protect spaces or
shell metacharacters in post_command.
This option can be used to restart a
daemon that is writing to the file. When
rotating multiple logs with one logadm
command, post_command is executed only
once after all the logs are rotated, not
once per rotated log.
-A age Delete any versions that have not been
modified for the amount of time speci-
fied by age.
Specify age as a number followed by an h
(hours), d (days), w(weeks), m (months),
or y (years).
-b pre_command Execute pre_command before renaming the
log file. pre_command is passed to sh
-c.
Specify pre_command as a valid shell
shell metacharacters in the pre_command.
This option can be used to stop a daemon
that is writing to the file. When rotat-
ing multiple logs with one logadm com-
mand, pre_command is executed only once
before all the logs are rotated, not
-c Rotate the log file by copying it and
truncating the original logfile to zero
length, rather than renaming the file.
-C count Delete the oldest versions until there
are not more than count files left.
If no expire options (-A, -C, or -S) are
specified, -C 10 is the default. To
prevent the default expire rule from
being added automatically, specify -C 0.
-e mail_addr Send error messages by to
mail_addr.
As logadm is typically run from
cron(1M), error messages are captured by
cron and mailed to the owner of the
crontab.
This option is useful you want the mail
regarding error messages to go to
another address instead. If no errors
are encountered, no mail message is gen-
erated.
-E cmd Execute cmd to expire the file, rather
than deleting the old log file to expire
it.
cmd is passed it to sh -c. The file is
considered expired after cmd completes.
If the old log file is not removed or
renamed by the cmd, logadm considers it
for expiration the next time that it
runs on the specified log file. If
present, the keyword $file is expanded
in the specified cmdto the name of the
file being expired.
This option is useful for tasks such as
mailing old log files to administrators,
or copying old log files to long term
storage.
-f conf_file Use conf_file instead of
/etc/logadm.conf.
This option allows non-root users to
keep their own logadm configuration
files.
-g group Create a new empty file with the ID
specified by group, instead of preserv-
ing the group ID of the log file.
Specify group by name or by numeric
group ID, as accepted by chgrp(1).
This option requires the ability to
change file group ownership using the
chgrp(1) command.
-h Print a help message that describes
logadm's options.
-l Use local time rather than the Coordi-
nated Universal Time (UTC) when naming
rotated log files (see the discussion of
percent sequences in the templates sup-
plied with the -t option).
-m mode Create a new empty file with the mode
specified by mode, instead of preserving
the mode of the log file.
Specify mode in any form that is
accepted by the chmod(1) command.
-M cmd Use cmd to rename the log file. If the
keyword $file is specified, it is
expanded to the name of the log file.
Similarly, the keyword $nfile is
expanded to the new name of the log
file. The $nfile keyword is only avail-
able with commands provided with the -M
option. After the command completes, the
log file is replaced by the rotate file.
The default cmd is "/bin/mv $file
$nfile".
-n Print the actions that the logadm com-
mand will perform without actually per-
forming them.
This option is useful for checking argu-
ments before making any changes to the
system.
It is important to remember, however,
that since log rotating actions are only
printed with this option, logadm might
not find files that need expiring, but
if run without the -n logadm might
create a file that needs expiring by
performing the log rotating actions.
Therefore, if you see no files being
expired with the -n option, files still
might be expired without it.
-N Prevent an error message if the speci-
fied logfile does not exist. Normally,
logadm produces an error message if the
log file is not found. With -N, if the
log file doesn't exist logadm moves on
to the expire rules (if any) and then to
the next log file (if any), without
creating the empty replacement log file.
-o owner Create the new empty file with owner,
instead of preserving the owner of the
log file.
Specify owner in any form that is
accepted by the chown(1) command.
-p period Rotate a log file after the specified
time period (period) .
Specify period as a number followed by d
for days, h for hours, w for weeks, m
for months (really 30 days) or y for
years. There are also two special values
for period: now and never. -p now forces
log rotation. -p never forces no log
rotation.
-P timestamp Used by logadm to record the last time
the log was rotated in /etc/logadm.conf.
This option uses timestamp to determine
if the log rotation period has passed.
The format of timestamp matches the for-
mat generated by ctime(3C), with quotes
around it to protect embedded spaces.
timestamp is always recorded in the
Coordinated Universal Time (UTC)
timezone.
-r Remove any entries corresponding to the
specified logname from the
-R cmd Run the cmd when an old log file is
created by a log rotation. If the key-
word $file is embedded in the specified
command, it is expanded to the name of
the old log file just created by log
This option is useful for processing log
file contents after rotating the log.
cmd is executed by passing it to sh -c.
When rotating multiple logs with one
logadm command, the command supplied
with -R is executed once every time a
log is rotated. This is useful for
post-processing a log file (that is,
sorting it, removing uninteresting
lines, etc.). The -a option is a better
choice for restarting daemons after log
-s size Rotate the log file only if its size is
greater than or equal to size.
Specify size as a number followed by the
letter b for bytes, k for kilobytes, m
for megabytes, or g for gigabytes.
-S size Delete the oldest versions until the
total disk space used by the old log
files is less than the specified size.
-t template Specify the template to use when renam-
ing log files.
template can be a simple name, such as
/var/adm/oldfile, or it can contain spe-
cial keywords which are expanded by
logadm and are in the form $word.
Allowed sequences are:
$file The full
path name of
the file to
be rotated
$dirname The direc-
tory of the
file to be
rotated
$basename The log file
name,
without the
directory
name
$n The version
number, 0 is
most recent,
1 is next
and so forth
$N The same as
$n, but
starts at 1
instead of
zero
$secs The number
of seconds
since
00:00:00
UTC, January
1,1970
$nodename Expands to
the output
of uname -n
$platform Expands to
of uname -i
$isa Expands to
of uname -p
$release Expands to
of uname -r
$machine Expands to
of uname -m
$domain Expands to
of domain-
To actually have the dollar sign charac-
ter in the file name, use $$. Any per-
cent sequences allowed by strftime(3C)
are also allowed, for example, %d
expands to the day of the month. To
actually have a percent sign character
in the file name, use %%. Both dollar-
sign keywords and percent sequences can
appear anywhere in the template. If the
template results in a pathname with
non-existent directories, they are
created as necessary when rotating the
If no –t option is specified, the default
template is $file.$n. Actual rotation of
log files, where each version is shifted
up until it expires is done using the $n
keyword. If the template does not con-
tain the $n keyword, the log file is
simply renamed to the new name and then
the expire rules, if any, are applied.
-T pattern Normally logadm looks for a list of old
log files by turning the template
(specified with the -t option) into a
pattern and finding existing files whose
names match that pattern. The -T option
causes the given pattern to be used
instead.
This option is useful if another program
fiddles with the old log file names,
like a cron job to compress them over
time. The pattern is in the form of a
pathname with special characters such as
* and ? as supported by csh(1) filename
substitution.
-v Print information about the actions
being executed in verbose mode.
-V Validate the configuration file.
This option validates that an entry for
the specified logname exists in the
/etc/logadm.conf file and is syntacti-
cally correct. If logname is not speci-
fied, all entries in the configuration
file are validated. If a logname argu-
ment is specified, the command validates
the syntax of that entry. If the entry
is found, it is printed and the exit
value of the command is true. Otherwise
the exit value is false.
-w entryname Write an entry into the config file
(that is, /etc/logadm.conf) that
corresponds to the current command line
arguments. If an entry already existed
for the specified entryname, it is
removed first. This is the preferred
method for updating /etc/logadm.conf,
because it prevents syntax errors in
that file. The entryname is an argument
to an invocation of logadm. The
entryname might be chosen as something
easy to remember or it can be the path-
name ofthe log file.
If no log file name is provided on a
logadm command line, the entry name is
assumed to be the same as the log file
name. For example, the following two
lines achieve the same result, keeping
two copies of rotated log files:
% logadm -C2 -w mylog /my/really/long/log/file/name
% logadm -C2 -w /my/really/long/log/file/name
-z count Compress old log files as they are
created. count of the most recent log
files are left uncompressed, therefore
making the count most recent files
easier to peruse. Use count of zero to
compress all old logs.
The compression is done with gzip(1) and
the resulting log file has the suffix of .gz.
OPERANDS
The following operands are supported:
logname Identifies the name of the entry
in /etc/logadm.conf. If the log
file name is specified in the
logname field, it is assumed
that logname is the same as the
actual log file name.
EXAMPLES
Example 1 Rotating a File and Keeping Previous Versios
The following example rotates the /var/adm/exacct/proc file,
keeping ten previous versions in /var/adm/exacct/proc.0
through /var/adm/exacct/proc.9.
Tell logadm to copy the file and truncate it.
% logadm -c /var/adm/exacct/proc
Example 2 Rotating syslog
The following example rotates syslog and keeps eight log
files. Old log files are put in the directory /var/oldlogs
instead of /var/log:
% logadm -C8 -t'/var/oldlogs/syslog.$n' /var/log/syslog
Example 3 Rotating /var/adm/sulog and Expiring Based on Age
The following entry in the /etc/logadm.conf file rotates the
/var/adm/sulog file and expires any copies older than 30
days.
/var/adm/sulog -A 30d
Example 4 Rotating Files and Expiring Based on Disk Usage
/var/adm/sulog file and expires old log files when more than
100 megabytes are used by the sum of all the rotated log
/var/adm/sulog -S 100m
Example 5 Creating an Entry that Stores the Logfile Name
This example creates an entry storing the log file name and
the fact that we want to keep 20 copies in /etc/logadm.conf,
but the -p never means the entry is ignored by the normal
logadm run from root's crontab every morning.
% logadm -w locallog /usr/local/logfile -C20 -p never
Use the following entry on the command line to override the
-p never option:
% logadm -p now locallog
Example 6 Rotating the apache Error and Access Logs
The following example rotates the apache error and access
logs monthly to filenames based on current year and month.
It keeps the 24 most recent copies and tells apache to res-
tart after renaming the logs.
This command is run once, and since the -w option is speci-
fied, an entry is made in /etc/logadm.conf so the apache
logs are rotated from now on.
% logadm -w apache -p 1m -C 24\
-t '/var/apache/old-logs/$basename.%Y-%m'\
-a '/usr/apache/bin/apachectl graceful'\
'/var/apache/logs/*{access,error}_log'
This example also illustrates that the entry name supplied
with the -w option doesn't have to match the log file name.
In this example, the entry name is apache and once the line
has been run, the entry in /etc/logadm.conf can be forced to
run by executing the following command:
% logadm -p now apache
Because the expression matching the apache log file names
was enclosed in quotes, the expression is stored in
/etc/logadm.conf, rather than the list of files that it
expands to. This means that each time logadm runs from cron
it expands that expression and checks all the log files in
the resulting list to see if they need rotating.
The following command is an example without the quotes
around the log name expression. The shell expands the last
argument into a list of log files that exist at the time the
command is entered, and writes an entry to /etc/logadm.conf
that rotates the files.
logadm -w apache /var/apache/logs/*_log
NOTES
When logadm applies expire conditions (supplied by the -A,
-C, and -S options), it deletes files, the oldest first,
until the conditions are satisfied. If the template used for
naming the old logs contained $n or $N, logadm picks the
highest value of $n or $N found in the old log file names
first. If the template used is something else, logadm uses
the modification time to determine which files to expire
first. This might not be the expected behavior if an old log
file has been modified since it was rotated.
Note that, depending on log file sizes and number of log
files, log file rotations can be very time-consuming.
November 22, 2018
Webinar - Dusan Baljevic

14. Solaris /etc/logadm.conf (part 1/2)
logadm.conf specifies the schedule for log rotation and options with which rotation will be performed. The default configuration:
/var/log/syslog -C 8 -P 'Sun Sep 14 17:10: ' -a 'kill -HUP `cat /var/run/syslog.pid`‘
/var/adm/messages -C 4 -P 'Fri Sep 12 17:10: ' -a 'kill -HUP `cat /var/run/syslog.pid`'
/var/cron/log -P 'Fri Aug 22 17:10: ' -c -s 512k -t /var/cron/olog
/var/lp/logs/lpsched -C 2 -N -t '$file.$N'
November 22, 2018
Webinar - Dusan Baljevic

15. Solaris /etc/logadm.conf (part 2/2)
/var/fm/fmd/errlog -M '/usr/sbin/fmadm -q rotate errlog && mv /var/fm/fmd/errlog.0- $nfile' -N -s 2m
smf_logs -C 8 -s 1m /var/svc/log/*.log
/var/adm/pacct -C 0 -N -a '/usr/lib/acct/accton pacct' -g adm -m 664 -o adm -p never
/var/log/pool/poold -N -a 'pkill -HUP poold; true' -s 512k
/var/fm/fmd/fltlog -A 6m -M '/usr/sbin/fmadm -q rotate fltlog && mv /var/fm/fmd/fltlog.0- $nfile' -N -s 10m
November 22, 2018
Webinar - Dusan Baljevic

16. Solaris logadm Command Usage (part 1/3)
Usage: logadm [options]
(processes all entries in /etc/logadm.conf or conffile given by -f)
or: logadm [options] logname... (processes the given lognames)
General options:
-e mailaddr mail errors to given address
-f conffile use conffile instead of /etc/logadm.conf
-h display help
-N not an error if log file nonexistent
-n show actions, don't perform them
-r remove logname entry from conffile
-V ensure conffile entries exist, correct
-v print info about actions happening
-w entryname write entry to config file
November 22, 2018
Webinar - Dusan Baljevic

17. Solaris logadm Command Usage (part 2/3)
Options which control when a logfile is rotated:
(default is: -s1b -p1w if no -s or -p)
-p period only rotate if period passed since last rotate
-P timestamp used to store rotation date in conffile
-s size only rotate if given size or greater
Options which control how a logfile is rotated:
(default is: -t '$file.$n', owner/group/mode taken from log file)
-a cmd execute cmd after taking actions
-b cmd execute cmd before taking actions
-c copy & truncate logfile, don't rename
-g group new empty log file group
-l rotate log file with local time rather than UTC
-m mode new empty log file mode
-M cmd execute cmd to rotate the log file
-o owner new empty log file owner
-R cmd run cmd on file after rotate
-t template template for naming old logs
-z count gzip old logs except most recent count
November 22, 2018
Webinar - Dusan Baljevic

18. Solaris logadm Command Usage (part 3/3)
Options which control the expiration of old logfiles:
(default is: -C10 if no -A, -C, or -S)
-A age expire logs older than age
-C count expire old logs until count remain
-E cmd run cmd on file to expire
-S size expire until space used is below size
-T pattern pattern for finding old logs
November 22, 2018
Webinar - Dusan Baljevic

19. Solaris logadm and Timezone
By default, logadm works in GMT. All entries written to the /etc/logadm.conf file will have a GMT timestamp
Use the “-l” option to set logadm to local time
November 22, 2018
Webinar - Dusan Baljevic

20. Solaris logadm – Example for wtmpx
Add into /etc/logadm.conf
/var/adm/utmpx -C 12 -P ‘Mon Oct 13 17:00: ' -s 100m -z 0
"-C 12" means it will preserve 12 versions of the log file
"-P .." means when to first start processing the log file
"-s 100m" defines the maximum size of the log file before it is rotated
"-z 0" sets the gzip compression
Run command:
# logadm
Check it:
# logadm -V
November 22, 2018
Webinar - Dusan Baljevic

21. Webinar - Dusan Baljevic
HP-UX 11i syslogd
HP-UX 11i v1 and earlier do not have log file automation
HP-UX and later syslogd logs messages into a set of files. Once the size of a log file reaches 2 GB, syslogd stops logging to that file. Configure the maximum size of syslogd log files by setting the variable LOG_SIZE in /etc/default/syslogd
The value of LOG_SIZE can be any positive integer greater than 2, representing the maximum size of the file in GB. When LOG_SIZE=NOLIMIT, syslogd uses the limit imposed by the file system on file size
PREV_OLDSYSLOG_LINES: The number of kilo lines that should be carried
from the previous /var/adm/syslog/OLDsyslog.log along with the contents of previous
/var/adm/syslog/syslog.log to the current /var/adm/syslog/OLDsyslog.log. The value should
strictly be a number. Default is 0 which makes the present OLDsyslog.log contain only the previous
syslog.log contents.
November 22, 2018
Webinar - Dusan Baljevic

22. HP-UX 11i syslogd Simple Rotation
# /sbin/init.d/syslogd stop
# /sbin/init.d/syslogd start
It will rename syslog.log to OLDsyslog.log in /var/adm/syslog directory.
November 22, 2018
Webinar - Dusan Baljevic

23. HP-UX 11i Other RC Cleanups
/etc/rc.config.d/clean_tmp for /tmp cleanup at boot
CLEAR_TMP=1
/etc/rc.config.d/clean
CLEAN_ADM=1
CLEAN_UUCP=1
/var/adm/sulog /var/adm/diaglog /var/adm/messages renamed to OLD*
/etc/rc.config.d/clean_uucp uuclean(1m) at boot
November 22, 2018
Webinar - Dusan Baljevic

24. HP-UX 11i Examples of Log Directories and Files
Examples of log files that can grow out of bounds:
/var/spool/lp
/var/adm/lp
/var/opt/perf/datafiles
lost+found directories in top-level of each file system
/var/adm/diag
/var/opt/ignite
/var/stm/logs/sys *
/var/adm/wtmp
/var/adm/wtmps
/var/adm/btmp
/var/adm/sw
(others truncated for the sake of brevity)
* I once had a call to help with a critical case for a customer who had diaglogd_activity_log larger than 2 GB
(activity log of a MESA diagnostics daemon). It remained a mystery why level-1 and level-2 teams
did not detect this out-of-bounds growth.
November 22, 2018
Webinar - Dusan Baljevic

25. Webinar - Dusan Baljevic
HP-UX 11i auto_parms.log
/etc/auto_parms.log is updated by auto_parms(1m) command that handles first-boot configuration (setting of unique system “initial identity parameters”), and ongoing management of DHCP leases
auto_parms(1m) saves old copy into /etc/auto_parms.log.old
November 22, 2018
Webinar - Dusan Baljevic

26. Webinar - Dusan Baljevic
HP-UX 11i rc.log
Run Command (RC) scripts update /etc/rc.log at boot time
At reboot, previous version of /etc/rc.log is renamed to /etc/rc.log.old
November 22, 2018
Webinar - Dusan Baljevic

27. Webinar - Dusan Baljevic
HP-UX 11i EMS Logs
The EMS log files in /etc/opt/resmon/log are limited to 500 KB in size and are then moved to <logfile>.old. The previous *.old gets lost
The limit of 500 KB per logfile can be removed by creating the file /etc/opt/resmon/unlimited_log
Be careful with creating the unlimited_log. Growing EMS log files can easily fill up root file system
November 22, 2018
Webinar - Dusan Baljevic

28. HP-UX 11i Glance and MeasureWare Logs
/var/opt/perf/parm is read by both the GlancePlus product and the MeasureWare products. Glance uses only the Application definitions
size global=10, application=10, process=20, device=10, transaction=10
The sizes are in MB
The logfiles are stored in /var/opt/perf/datafiles directory
November 22, 2018
Webinar - Dusan Baljevic

29. HP-UX 11i Integrity VM Driver Log File
/var/opt/hpvm/common/hpvm_mon_log is limited to 1024 KB by default. When the log file grows larger than this, it is copied to a new file (hpvm_mon_log.$time) and an empty one is created for the new log
To allow this log file to grow larger than 1024 KB, include the following line in /etc/rc.config.d/hpvmconf
VMMLOGSIZE= # In KB
Then, restart the daemon:
# kill –HUP `cat /var/run/hpvmmonlogd.pid`
November 22, 2018
Webinar - Dusan Baljevic

30. HP-UX 11i Integrity VM Guest Log File
/var/opt/hpvm/guests/guest_name/log file records guest start and stop information. These log files can grown very large
To close the current log file, rename it, and open a new one:
# hpvmconsole rec -rotate
November 22, 2018
Webinar - Dusan Baljevic

31. Webinar - Dusan Baljevic
HP-UX 11i SMH *
# cat /opt/hpsmh/conf.common/smhpd.xml
<?xml version="1.0" encoding="UTF-8"?>
<system-management-homepage>
<admin-group></admin-group>
<operator-group></operator-group>
<user-group></user-group>
<allow-default-os-admin>True</allow-default-os-admin>
<anonymous-access>False</anonymous-access>
<localaccess-enabled>False</localaccess-enabled>
<localaccess-type>Anonymous</localaccess-type>
<trustmode>TrustByCert</trustmode>
<xenamelist></xenamelist>
<ip-restricted-logins>False</ip-restricted-logins>
<ip-restricted-include></ip-restricted-include>
<ip-restricted-exclude></ip-restricted-exclude>
<ip-binding>False</ip-binding>
<ip-binding-list></ip-binding-list>
<rotate-logs-size>N</rotate-logs-size>
</system-management-homepage>
Microsoft Windows version of SMH supports log file rotation:
<rotate-logs-size>N</rotate-logs-size>
The <rotate-logs-size> tag defines the HP SMH Rotate Logs file size.
To change the Rotate Logs file size, you will need to edit the configuration file
%SystemDrive%\hp\hpsmh\conf\smhpd.xml.
You can define the <rotate-logs-size> tag using any value between 1 and 99,
which represents the log size in megabytes.
November 22, 2018
Webinar - Dusan Baljevic

32. Webinar - Dusan Baljevic
HP-UX 11i TCB Auditing
It records instances of access by subjects to objects and allows detection of any (repeated) attempts to bypass the protection mechanism and any misuses of privileges
audsys allows the user to start or halt the auditing system, to specify the auditing system "current" and "next" audit files (and their switch sizes), or to display auditing system status information. The "current" audit file is the file to which the auditing system writes audit records. When the "current" file grows to either its Audit File Switch (AFS) size or its File Space Switch (FSS) size (see audomon), the auditing system switches to write to the "next“ audit file
# audsys
Auditing system is currently on
current file: /var/adm/audit/audfile1
next file: /var/adm/audit/audfile2
statistics afs Kb used Kb avail % fs Kb used Kb avail %
current file:
next file:
Manual process for automated audsys log file rotation is necessary
November 22, 2018
Webinar - Dusan Baljevic

33. Webinar - Dusan Baljevic
HP-UX 11i HIDS
HIDS log files increase rapidly. However, the Configuration Change Console agent keeps log files truncated to save disk space. To ensure that the log files do not increase in file size while the agent is not running, run a script to periodically truncate the HIDS log files.
A sample script to manage HIDS log files is provided. This script should be run
from the crontab:
#!/bin/sh
filesize=`/bin/ls -l /var/opt/ids/alert.log | /bin/awk '{print $5}'`
if [ "$filesize" -gt " " ]
then
mv /var/opt/ids/alert.log /var/opt/ids/alert.log_Dec_2008 fi
rm /var/opt/ids/ids_1*
Sample entry to configure the crontab to run every hour where the bold letters are replaced by the actual path of the trunclog.sh file:
0 * * * * /<location of script>/trunclog.sh 2>/dev/null 2>&1
IDS_ALERTFILE /var/opt/ids/alert.log
IDS_ERRORFILE /var/opt/ids/error.log
IDS_LISTEN_IFACE "“
IDS_RT_RESPONSE_DIR /opt/ids/rt_response
IDS_RESPONSE_DIR /opt/ids/response
They are defined as follows:
IDS_ALERTFILE
The full path name to the alert log file for this HP-UX HIDS agent process. Any alerts resulting from intrusive activity detected by the agent software will be logged to this file.
IDS_ERRORFILE
The full path name to the error log file for this HP-UX HIDS agent process. Any errors generated in the operation of the agent software will be logged to this file.
IDS_LISTEN_IFACE
The IP address or host name associated with the agent system’s network interface card.
On a system with only one IP address, this parameter does not need to be specified.
On a multihomed system (a system with more than one network interface card) this parameter is required.
IDS_RT_RESPONSE_DIR
The full path name to the automated response directory, containing executable binary or script programs that are executed on the agent node. These programs are executed when a real-time alert is generated and when both the Alert Aggregation and the Real Time Alerts options are enabled. The programs can take any actions that you deem appropriate.
IDS_RESPONSE_DIR
The full path name to the automated response directory containing executable binary or script programs that are executed on the agent node. These programs are executed either when alert aggregation is disabled and any alert is generated or when alert aggregation is enabled and an aggregated alert or an alert that is not or cannot be aggregated is generated. The programs can take any actions that you deem appropriate.
November 22, 2018
Webinar - Dusan Baljevic

34. HP-UX 11i ServiceGuard Package Log File
SCRIPT_LOG_FILE (SG ) A new package attribute that allows a name to be assigned to a package log file
Necessary for support of multiple packages sharing a common package control script
Legacy Package Configuration
SCRIPT_LOG_FILE /etc/cmcluster/pkga/pkga.log
Modular Package Configuration
script_log_file $SGRUN/log/$SG_PACKAGE.log
November 22, 2018
Webinar - Dusan Baljevic

35. Webinar - Dusan Baljevic
HP-UX 11i ulimit
# ulimit -a
time(seconds) unlimited
file(blocks) unlimited
data(kbytes)
stack(kbytes)
memory(kbytes) unlimited
coredump(blocks)
nofiles(descriptors) 2048
Can be set globally or per user
November 22, 2018
Webinar - Dusan Baljevic

36. Webinar - Dusan Baljevic
HP-UX 11i v3 coreadm *
# coreadm
global core file pattern:
init(1M) core file pattern:
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
* HP-UX 11i v3 and above
November 22, 2018
Webinar - Dusan Baljevic

37. HP-UX cleanup - HP-UX patch cleanup utility
# cleanup –c 1
The cleanup command provides functions useful when dealing with HP-UX patches.
The cleanup command logs all information to /var/adm/cleanup.log.
November 22, 2018
Webinar - Dusan Baljevic

38. HP-UX savecrash utility
/etc/rc.config.d/savecrash
CHUNK_SIZE Size of single crash image file (how big you want each of
image.n.x, image.n.x+1, etc. to be).
If not specified, savecrash will choose one based on the
physical memory size of the system. Can be specified in
bytes (b), kilobytes (k), megabytes (m), or gigabytes (g).
The default unit is KB.
See savecrash(1M) “–s” option for size constraints.
COMPRESS: Whether you want the kernel and crash image files to be
compressed.
Little reminder about crashdumps in HP-UX when the server has multiple CPUs:
One CPU per dump unit for an uncompressed dump. For example,
to achieve 4-way parallelism (4 dump units) in an uncompressed dump,
the system must have at least 4 CPUs.
Five CPUs per dump unit for a compressed dump (4 CPUs compressing data
and one CPU writing the data to the disks).
November 22, 2018
Webinar - Dusan Baljevic

39. HP-UX Alternative Log File Tools (part 1/3)
Old but maybe still applicable bundle (needs to be tested):
Shell script logrotate:
Scripts based on Perl modules like Logfile-Rotate
Perl-Logrotate:
November 22, 2018
Webinar - Dusan Baljevic

40. HP-UX Alternative Log File Tools (part 2/3)
newsyslog project (old and possibly obsolete):
logtrim by Bill Hassell (released in HP ITRC forum several years ago):
Replace standard syslog daemon with Syslog-NG and SQL database:
November 22, 2018
Webinar - Dusan Baljevic

41. HP-UX Alternative Log File Tools (part 3/3)
smartlog (very old bundles for HP-UX and only):
Many other Shell scripts, for example:
LogWatch:
November 22, 2018
Webinar - Dusan Baljevic

42. Webinar - Dusan Baljevic
HP-UX Syslog-NG
Syslog-NG and SQL database (MySQL, Microsoft SQL (MSSQL), Oracle, PostgreSQL, SQLite)
Log rotation based on output filenames - Log output filenames can be based on templates names which support macro expansion. For example, if the output filename template contains the month macro, a new filename will created each month
Often, syslog-ng is used for log file consolidation (centralized management)
November 22, 2018
Webinar - Dusan Baljevic

43. Webinar - Dusan Baljevic
Conclusion
Log file management is mostly managed reactively
Majority of Unix admins I meet are not aware of OS-native tools that are designed for log file administration
November 22, 2018
Webinar - Dusan Baljevic

44. Dusan Baljevic Sydney, Australia
Thank You!
Dusan Baljevic
Sydney, Australia