Download presentation
Presentation is loading. Please wait.
Published byAugust Lane Modified over 6 years ago
1
Unity and Disunity of Unix Log File Management Tools
Dusan Baljevic Sydney, Australia
2
Unix Log Files and Their Management Tools - Present
Most of the time, admins rely on Shell or Perl scripts As well, find command is commonly used for cleanups November 22, 2018 Webinar - Dusan Baljevic
3
Unix Log Files and Their Management Tools
Solaris logadm Linux logrotate AIX (built-in log file rotation and compression) HP-UX (various tools) November 22, 2018 Webinar - Dusan Baljevic
4
Webinar - Dusan Baljevic
AIX syslog AIX has built-in log file rotation and compression. They are optional fields Format msg_src_list destination [rotate [size sizek|m] [files files] [time timeh|d|w|m|y] [compress] [archive archive]] msg_src_list is a semicolon separated list of facility.priority facility all (except mark) mark - time marks kern,user,mail,daemon, auth,... priority is one of (from high to low): emerg/panic,alert,crit,err(or),warn(ing),notice,info,debug (meaning all messages of this priority or higher) destination is: /filename - log to this file username[,username2...] - write to user(s) @hostname - send to syslogd on this machine * - send to all logged in users November 22, 2018 Webinar - Dusan Baljevic
5
AIX syslog Features (part 1/2)
If destination is a regular file and the word rotate is specified, then the destination is limited by either size or time, or both. The backup filenames are created by appending a period and a number to destination, starting with .0. The time value causes the destination to be rotated after time. If both time and size are specified, then logfiles will be rotated once the logfile size exceeds size or the after time, whichever is earlier If the compress option is specified then the logfile names will be generated with a .Z extension. The files keyword will be applicable to the logfiles which are currently under rotation. For example, if we specify the compress option, then only file with .Z extension will be under rotation and the number of such files will be limited byfiles files. Any logfiles with an extension other than .Z will not be under the rotation scheme and thus will not be under the restriction of files files. Similarly if the compress option is removed then the files which have been generated with .Z extension will no longer be the part of rotation scheme and will not be limited by the files files November 22, 2018 Webinar - Dusan Baljevic
6
AIX syslog Features (part 2/2)
The minimum size that can be specified is 10k. The minimum number of files that can be specified is 2. The default size is 1MB and the default for files is unlimited. Therefore, if only rotate is specified, the log will be rotated with size = 1m. The compress option means that rotated log files that are not in use will be compressed. The archive option will save rotated log files that are not in use to archive. The default is not to rotate log files The letter indicating the unit must immediately follow the number in the syntax. For example, to specify the log rotation of every two days, the phrase time “2d” is correct, but “2 d” is not November 22, 2018 Webinar - Dusan Baljevic
7
Webinar - Dusan Baljevic
AIX /etc/syslog.conf Example /etc/syslog.conf *.info /var/adm/syslog/syslog.log *.alert /var/adm/syslog/syslog.log *.notice /var/adm/syslog/syslog.log *.warning /var/adm/syslog/syslog.log *.err /var/adm/syslog/syslog.log *.crit /var/adm/syslog/syslog.log rotate time 1d files 9 daemon.debug /var/adm/ftpd.log rotate size 1024k files 5 November 22, 2018 Webinar - Dusan Baljevic
8
Webinar - Dusan Baljevic
Linux logrotate It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. Normally, logrotate is run as a daily cron job. It will not modify a log multiple times in one day unless the formula for that log is based on the logs size and logrotate is being run multiple times each day, or unless the “-f” or “-force” option is used. Cron job /etc/cron.daily/logrotate #!/bin/sh /usr/sbin/logrotate /etc/logrotate.conf EXITVALUE=$? if [ $EXITVALUE != 0 ]; then /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]" fi exit 0 November 22, 2018 Webinar - Dusan Baljevic
9
Linux /etc/logrotate.conf
weekly rotate 4 create dateext include /etc/logrotate.d /var/log/wtmp { monthly create 0664 root utmp rotate 1 } /var/log/btmp { missingok create 0600 root utmp November 22, 2018 Webinar - Dusan Baljevic
10
Linux logrotate Command Usage
Usage: logrotate [OPTION...] <configfile> -d, --debug Don't do anything, just test (implies -v) -f, --force Force file rotation -m, --mail=command Command to send mail (instead of `/bin/mail') -s, --state=statefile Path of state file -v, --verbose Display messages during rotation Help options: -?, --help Show this help message --usage Display brief usage message November 22, 2018 Webinar - Dusan Baljevic
11
Linux /etc/logrotate.d Directory
# ls /etc/logrotate.d bittorrent fail2ban munin-node rpm squid yum clamav-update httpd nagios samba squidGuard zabbix collectl mgetty named sa-update syslog cups mimedefang ppp setroubleshoot tux dirmngr munin psacct snmpd wpa_supplicant November 22, 2018 Webinar - Dusan Baljevic
12
Linux /etc/logrotate.d Example
# cat /etc/logrotate.d/httpd /var/log/httpd/*log { missingok notifempty sharedscripts postrotate kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null \ || true endscript } November 22, 2018 Webinar - Dusan Baljevic
13
Webinar - Dusan Baljevic
Solaris logadm Starting from Solaris 9, there is a standard tool, called logadm, to rotate logs logadm is an independent utility (unlike integrated in syslog daemon capability that can be found in AIX). The logadm command is a preconfigured entry in the default crontab file supplied starting with Solaris 9 /usr/lib/newsyslog script is no longer used Before Solaris 9 there was FreeBSD-style tool newsyslog located in /usr/lib and Perl script rotatelog. It was run from cron. For Solaris 8 and earlier download the tar.gz file, untar it, go in the new directory, and execute make install. It will install /usr/local/sbin/rotatelog and /usr/local/etc/rotatelog.conf NAME logadm - manage endlessly growing log files SYNOPSIS logadm [-options] logname... DESCRIPTION logadm is a general log rotation tool that is suitable for running from cron(1M). Without arguments, logadm reads the /etc/logadm.conf file, and, for every entry found in that file, checks the corresponding log file to see if it should be rotated. Typically this check is done each morning by an entry in the root's crontab(1). If the logname argument is specified, logadm renames the corresponding log file by adding a suffix so that the most recent log file ends with .0 (that is, logfile.0), the next most recent ends with .1 (that is, logfile.1), and so forth. By default, ten versions of old log files are kept (that is, logfile.0 through logfile.9). At the point when what would be the eleventh file is logged,logadm automatically deletes the oldest version to keep the count of files at ten. logadm takes a number of options. You can specify these options on the command line or in the /etc/logadm.conf file. The logadm command searches /etc/logadm.conf for lines of the form logname options logname Identifies an entry in /etc/logadm.conf. This can be a name or the pathname of the log file. If you specify a log file, rather than a name, for this field, it must be a fully quali- fied pathname. options Identifies command line options exactly as they would be entered on the command line. This allows commonly used log rotation poli- cies to be stored in the /etc/logadm.conf file. See EXAMPLES. If options are specified both in /etc/logadm.conf and on the com- mand line, those in the /etc/logadm.conf file are applied first. Therefore, the command line options override those in /etc/logadm.conf. Log file names specified in /etc/logadm.conf can contain filename substitution characters such as * and ?, that are sup- ported by csh(1). Two options control when a log file is rotated. They are: -s size -p period. When using more than one of these options at a time, there is an implied and between them. This means that all conditions must be met before the log is rotated. If neither of these two options are specified, the default conditions for rotating a log file are: -s 1b -p 1w, which means the log file is only rotated if the size is non-zero and if at least 1 week has passed since the last time it was rotated. By specifying -p never as a rotation condition, any other rotation conditions are ignored and logadm moves on to the expiration of old log files. By specifying -p now as a rotation condition, a log rotation is forced. Unless specified by the -o, -g, or -m options, logadm replaces the log file (after renaming it) by creating an empty file whose owner, group ID, and permissions match the original file. Three options control when old log files are expired: -A age -C count -Ssize. These options expire the oldest log files until a particular condition or conditions are met. For example, the combination -C 5 and the -S 10m options expires old log files until there are no more than 5 of the and their combined disk usage is no more than 10 megabytes. If none of these options are specified, the default expiration s -C 10 which keeps ten old log files. If no files are to be expired, use -C 0 to prevent expiration by default. OPTIONS The following options are supported: -a post_command Execute the post_command after renaming the log file. post_command is passed to sh -c. Specify post_command as a valid shell command. Use quotes to protect spaces or shell metacharacters in post_command. This option can be used to restart a daemon that is writing to the file. When rotating multiple logs with one logadm command, post_command is executed only once after all the logs are rotated, not once per rotated log. -A age Delete any versions that have not been modified for the amount of time speci- fied by age. Specify age as a number followed by an h (hours), d (days), w(weeks), m (months), or y (years). -b pre_command Execute pre_command before renaming the log file. pre_command is passed to sh -c. Specify pre_command as a valid shell shell metacharacters in the pre_command. This option can be used to stop a daemon that is writing to the file. When rotat- ing multiple logs with one logadm com- mand, pre_command is executed only once before all the logs are rotated, not -c Rotate the log file by copying it and truncating the original logfile to zero length, rather than renaming the file. -C count Delete the oldest versions until there are not more than count files left. If no expire options (-A, -C, or -S) are specified, -C 10 is the default. To prevent the default expire rule from being added automatically, specify -C 0. -e mail_addr Send error messages by to mail_addr. As logadm is typically run from cron(1M), error messages are captured by cron and mailed to the owner of the crontab. This option is useful you want the mail regarding error messages to go to another address instead. If no errors are encountered, no mail message is gen- erated. -E cmd Execute cmd to expire the file, rather than deleting the old log file to expire it. cmd is passed it to sh -c. The file is considered expired after cmd completes. If the old log file is not removed or renamed by the cmd, logadm considers it for expiration the next time that it runs on the specified log file. If present, the keyword $file is expanded in the specified cmdto the name of the file being expired. This option is useful for tasks such as mailing old log files to administrators, or copying old log files to long term storage. -f conf_file Use conf_file instead of /etc/logadm.conf. This option allows non-root users to keep their own logadm configuration files. -g group Create a new empty file with the ID specified by group, instead of preserv- ing the group ID of the log file. Specify group by name or by numeric group ID, as accepted by chgrp(1). This option requires the ability to change file group ownership using the chgrp(1) command. -h Print a help message that describes logadm's options. -l Use local time rather than the Coordi- nated Universal Time (UTC) when naming rotated log files (see the discussion of percent sequences in the templates sup- plied with the -t option). -m mode Create a new empty file with the mode specified by mode, instead of preserving the mode of the log file. Specify mode in any form that is accepted by the chmod(1) command. -M cmd Use cmd to rename the log file. If the keyword $file is specified, it is expanded to the name of the log file. Similarly, the keyword $nfile is expanded to the new name of the log file. The $nfile keyword is only avail- able with commands provided with the -M option. After the command completes, the log file is replaced by the rotate file. The default cmd is "/bin/mv $file $nfile". -n Print the actions that the logadm com- mand will perform without actually per- forming them. This option is useful for checking argu- ments before making any changes to the system. It is important to remember, however, that since log rotating actions are only printed with this option, logadm might not find files that need expiring, but if run without the -n logadm might create a file that needs expiring by performing the log rotating actions. Therefore, if you see no files being expired with the -n option, files still might be expired without it. -N Prevent an error message if the speci- fied logfile does not exist. Normally, logadm produces an error message if the log file is not found. With -N, if the log file doesn't exist logadm moves on to the expire rules (if any) and then to the next log file (if any), without creating the empty replacement log file. -o owner Create the new empty file with owner, instead of preserving the owner of the log file. Specify owner in any form that is accepted by the chown(1) command. -p period Rotate a log file after the specified time period (period) . Specify period as a number followed by d for days, h for hours, w for weeks, m for months (really 30 days) or y for years. There are also two special values for period: now and never. -p now forces log rotation. -p never forces no log rotation. -P timestamp Used by logadm to record the last time the log was rotated in /etc/logadm.conf. This option uses timestamp to determine if the log rotation period has passed. The format of timestamp matches the for- mat generated by ctime(3C), with quotes around it to protect embedded spaces. timestamp is always recorded in the Coordinated Universal Time (UTC) timezone. -r Remove any entries corresponding to the specified logname from the -R cmd Run the cmd when an old log file is created by a log rotation. If the key- word $file is embedded in the specified command, it is expanded to the name of the old log file just created by log This option is useful for processing log file contents after rotating the log. cmd is executed by passing it to sh -c. When rotating multiple logs with one logadm command, the command supplied with -R is executed once every time a log is rotated. This is useful for post-processing a log file (that is, sorting it, removing uninteresting lines, etc.). The -a option is a better choice for restarting daemons after log -s size Rotate the log file only if its size is greater than or equal to size. Specify size as a number followed by the letter b for bytes, k for kilobytes, m for megabytes, or g for gigabytes. -S size Delete the oldest versions until the total disk space used by the old log files is less than the specified size. -t template Specify the template to use when renam- ing log files. template can be a simple name, such as /var/adm/oldfile, or it can contain spe- cial keywords which are expanded by logadm and are in the form $word. Allowed sequences are: $file The full path name of the file to be rotated $dirname The direc- tory of the file to be rotated $basename The log file name, without the directory name $n The version number, 0 is most recent, 1 is next and so forth $N The same as $n, but starts at 1 instead of zero $secs The number of seconds since 00:00:00 UTC, January 1,1970 $nodename Expands to the output of uname -n $platform Expands to of uname -i $isa Expands to of uname -p $release Expands to of uname -r $machine Expands to of uname -m $domain Expands to of domain- To actually have the dollar sign charac- ter in the file name, use $$. Any per- cent sequences allowed by strftime(3C) are also allowed, for example, %d expands to the day of the month. To actually have a percent sign character in the file name, use %%. Both dollar- sign keywords and percent sequences can appear anywhere in the template. If the template results in a pathname with non-existent directories, they are created as necessary when rotating the If no –t option is specified, the default template is $file.$n. Actual rotation of log files, where each version is shifted up until it expires is done using the $n keyword. If the template does not con- tain the $n keyword, the log file is simply renamed to the new name and then the expire rules, if any, are applied. -T pattern Normally logadm looks for a list of old log files by turning the template (specified with the -t option) into a pattern and finding existing files whose names match that pattern. The -T option causes the given pattern to be used instead. This option is useful if another program fiddles with the old log file names, like a cron job to compress them over time. The pattern is in the form of a pathname with special characters such as * and ? as supported by csh(1) filename substitution. -v Print information about the actions being executed in verbose mode. -V Validate the configuration file. This option validates that an entry for the specified logname exists in the /etc/logadm.conf file and is syntacti- cally correct. If logname is not speci- fied, all entries in the configuration file are validated. If a logname argu- ment is specified, the command validates the syntax of that entry. If the entry is found, it is printed and the exit value of the command is true. Otherwise the exit value is false. -w entryname Write an entry into the config file (that is, /etc/logadm.conf) that corresponds to the current command line arguments. If an entry already existed for the specified entryname, it is removed first. This is the preferred method for updating /etc/logadm.conf, because it prevents syntax errors in that file. The entryname is an argument to an invocation of logadm. The entryname might be chosen as something easy to remember or it can be the path- name ofthe log file. If no log file name is provided on a logadm command line, the entry name is assumed to be the same as the log file name. For example, the following two lines achieve the same result, keeping two copies of rotated log files: % logadm -C2 -w mylog /my/really/long/log/file/name % logadm -C2 -w /my/really/long/log/file/name -z count Compress old log files as they are created. count of the most recent log files are left uncompressed, therefore making the count most recent files easier to peruse. Use count of zero to compress all old logs. The compression is done with gzip(1) and the resulting log file has the suffix of .gz. OPERANDS The following operands are supported: logname Identifies the name of the entry in /etc/logadm.conf. If the log file name is specified in the logname field, it is assumed that logname is the same as the actual log file name. EXAMPLES Example 1 Rotating a File and Keeping Previous Versios The following example rotates the /var/adm/exacct/proc file, keeping ten previous versions in /var/adm/exacct/proc.0 through /var/adm/exacct/proc.9. Tell logadm to copy the file and truncate it. % logadm -c /var/adm/exacct/proc Example 2 Rotating syslog The following example rotates syslog and keeps eight log files. Old log files are put in the directory /var/oldlogs instead of /var/log: % logadm -C8 -t'/var/oldlogs/syslog.$n' /var/log/syslog Example 3 Rotating /var/adm/sulog and Expiring Based on Age The following entry in the /etc/logadm.conf file rotates the /var/adm/sulog file and expires any copies older than 30 days. /var/adm/sulog -A 30d Example 4 Rotating Files and Expiring Based on Disk Usage /var/adm/sulog file and expires old log files when more than 100 megabytes are used by the sum of all the rotated log /var/adm/sulog -S 100m Example 5 Creating an Entry that Stores the Logfile Name This example creates an entry storing the log file name and the fact that we want to keep 20 copies in /etc/logadm.conf, but the -p never means the entry is ignored by the normal logadm run from root's crontab every morning. % logadm -w locallog /usr/local/logfile -C20 -p never Use the following entry on the command line to override the -p never option: % logadm -p now locallog Example 6 Rotating the apache Error and Access Logs The following example rotates the apache error and access logs monthly to filenames based on current year and month. It keeps the 24 most recent copies and tells apache to res- tart after renaming the logs. This command is run once, and since the -w option is speci- fied, an entry is made in /etc/logadm.conf so the apache logs are rotated from now on. % logadm -w apache -p 1m -C 24\ -t '/var/apache/old-logs/$basename.%Y-%m'\ -a '/usr/apache/bin/apachectl graceful'\ '/var/apache/logs/*{access,error}_log' This example also illustrates that the entry name supplied with the -w option doesn't have to match the log file name. In this example, the entry name is apache and once the line has been run, the entry in /etc/logadm.conf can be forced to run by executing the following command: % logadm -p now apache Because the expression matching the apache log file names was enclosed in quotes, the expression is stored in /etc/logadm.conf, rather than the list of files that it expands to. This means that each time logadm runs from cron it expands that expression and checks all the log files in the resulting list to see if they need rotating. The following command is an example without the quotes around the log name expression. The shell expands the last argument into a list of log files that exist at the time the command is entered, and writes an entry to /etc/logadm.conf that rotates the files. logadm -w apache /var/apache/logs/*_log NOTES When logadm applies expire conditions (supplied by the -A, -C, and -S options), it deletes files, the oldest first, until the conditions are satisfied. If the template used for naming the old logs contained $n or $N, logadm picks the highest value of $n or $N found in the old log file names first. If the template used is something else, logadm uses the modification time to determine which files to expire first. This might not be the expected behavior if an old log file has been modified since it was rotated. Note that, depending on log file sizes and number of log files, log file rotations can be very time-consuming. November 22, 2018 Webinar - Dusan Baljevic
14
Solaris /etc/logadm.conf (part 1/2)
logadm.conf specifies the schedule for log rotation and options with which rotation will be performed. The default configuration: /var/log/syslog -C 8 -P 'Sun Sep 14 17:10: ' -a 'kill -HUP `cat /var/run/syslog.pid`‘ /var/adm/messages -C 4 -P 'Fri Sep 12 17:10: ' -a 'kill -HUP `cat /var/run/syslog.pid`' /var/cron/log -P 'Fri Aug 22 17:10: ' -c -s 512k -t /var/cron/olog /var/lp/logs/lpsched -C 2 -N -t '$file.$N' November 22, 2018 Webinar - Dusan Baljevic
15
Solaris /etc/logadm.conf (part 2/2)
/var/fm/fmd/errlog -M '/usr/sbin/fmadm -q rotate errlog && mv /var/fm/fmd/errlog.0- $nfile' -N -s 2m smf_logs -C 8 -s 1m /var/svc/log/*.log /var/adm/pacct -C 0 -N -a '/usr/lib/acct/accton pacct' -g adm -m 664 -o adm -p never /var/log/pool/poold -N -a 'pkill -HUP poold; true' -s 512k /var/fm/fmd/fltlog -A 6m -M '/usr/sbin/fmadm -q rotate fltlog && mv /var/fm/fmd/fltlog.0- $nfile' -N -s 10m November 22, 2018 Webinar - Dusan Baljevic
16
Solaris logadm Command Usage (part 1/3)
Usage: logadm [options] (processes all entries in /etc/logadm.conf or conffile given by -f) or: logadm [options] logname... (processes the given lognames) General options: -e mailaddr mail errors to given address -f conffile use conffile instead of /etc/logadm.conf -h display help -N not an error if log file nonexistent -n show actions, don't perform them -r remove logname entry from conffile -V ensure conffile entries exist, correct -v print info about actions happening -w entryname write entry to config file November 22, 2018 Webinar - Dusan Baljevic
17
Solaris logadm Command Usage (part 2/3)
Options which control when a logfile is rotated: (default is: -s1b -p1w if no -s or -p) -p period only rotate if period passed since last rotate -P timestamp used to store rotation date in conffile -s size only rotate if given size or greater Options which control how a logfile is rotated: (default is: -t '$file.$n', owner/group/mode taken from log file) -a cmd execute cmd after taking actions -b cmd execute cmd before taking actions -c copy & truncate logfile, don't rename -g group new empty log file group -l rotate log file with local time rather than UTC -m mode new empty log file mode -M cmd execute cmd to rotate the log file -o owner new empty log file owner -R cmd run cmd on file after rotate -t template template for naming old logs -z count gzip old logs except most recent count November 22, 2018 Webinar - Dusan Baljevic
18
Solaris logadm Command Usage (part 3/3)
Options which control the expiration of old logfiles: (default is: -C10 if no -A, -C, or -S) -A age expire logs older than age -C count expire old logs until count remain -E cmd run cmd on file to expire -S size expire until space used is below size -T pattern pattern for finding old logs November 22, 2018 Webinar - Dusan Baljevic
19
Solaris logadm and Timezone
By default, logadm works in GMT. All entries written to the /etc/logadm.conf file will have a GMT timestamp Use the “-l” option to set logadm to local time November 22, 2018 Webinar - Dusan Baljevic
20
Solaris logadm – Example for wtmpx
Add into /etc/logadm.conf /var/adm/utmpx -C 12 -P ‘Mon Oct 13 17:00: ' -s 100m -z 0 "-C 12" means it will preserve 12 versions of the log file "-P .." means when to first start processing the log file "-s 100m" defines the maximum size of the log file before it is rotated "-z 0" sets the gzip compression Run command: # logadm Check it: # logadm -V November 22, 2018 Webinar - Dusan Baljevic
21
Webinar - Dusan Baljevic
HP-UX 11i syslogd HP-UX 11i v1 and earlier do not have log file automation HP-UX and later syslogd logs messages into a set of files. Once the size of a log file reaches 2 GB, syslogd stops logging to that file. Configure the maximum size of syslogd log files by setting the variable LOG_SIZE in /etc/default/syslogd The value of LOG_SIZE can be any positive integer greater than 2, representing the maximum size of the file in GB. When LOG_SIZE=NOLIMIT, syslogd uses the limit imposed by the file system on file size PREV_OLDSYSLOG_LINES: The number of kilo lines that should be carried from the previous /var/adm/syslog/OLDsyslog.log along with the contents of previous /var/adm/syslog/syslog.log to the current /var/adm/syslog/OLDsyslog.log. The value should strictly be a number. Default is 0 which makes the present OLDsyslog.log contain only the previous syslog.log contents. November 22, 2018 Webinar - Dusan Baljevic
22
HP-UX 11i syslogd Simple Rotation
# /sbin/init.d/syslogd stop # /sbin/init.d/syslogd start It will rename syslog.log to OLDsyslog.log in /var/adm/syslog directory. November 22, 2018 Webinar - Dusan Baljevic
23
HP-UX 11i Other RC Cleanups
/etc/rc.config.d/clean_tmp for /tmp cleanup at boot CLEAR_TMP=1 /etc/rc.config.d/clean CLEAN_ADM=1 CLEAN_UUCP=1 /var/adm/sulog /var/adm/diaglog /var/adm/messages renamed to OLD* /etc/rc.config.d/clean_uucp uuclean(1m) at boot November 22, 2018 Webinar - Dusan Baljevic
24
HP-UX 11i Examples of Log Directories and Files
Examples of log files that can grow out of bounds: /var/spool/lp /var/adm/lp /var/opt/perf/datafiles lost+found directories in top-level of each file system /var/adm/diag /var/opt/ignite /var/stm/logs/sys * /var/adm/wtmp /var/adm/wtmps /var/adm/btmp /var/adm/sw (others truncated for the sake of brevity) * I once had a call to help with a critical case for a customer who had diaglogd_activity_log larger than 2 GB (activity log of a MESA diagnostics daemon). It remained a mystery why level-1 and level-2 teams did not detect this out-of-bounds growth. November 22, 2018 Webinar - Dusan Baljevic
25
Webinar - Dusan Baljevic
HP-UX 11i auto_parms.log /etc/auto_parms.log is updated by auto_parms(1m) command that handles first-boot configuration (setting of unique system “initial identity parameters”), and ongoing management of DHCP leases auto_parms(1m) saves old copy into /etc/auto_parms.log.old November 22, 2018 Webinar - Dusan Baljevic
26
Webinar - Dusan Baljevic
HP-UX 11i rc.log Run Command (RC) scripts update /etc/rc.log at boot time At reboot, previous version of /etc/rc.log is renamed to /etc/rc.log.old November 22, 2018 Webinar - Dusan Baljevic
27
Webinar - Dusan Baljevic
HP-UX 11i EMS Logs The EMS log files in /etc/opt/resmon/log are limited to 500 KB in size and are then moved to <logfile>.old. The previous *.old gets lost The limit of 500 KB per logfile can be removed by creating the file /etc/opt/resmon/unlimited_log Be careful with creating the unlimited_log. Growing EMS log files can easily fill up root file system November 22, 2018 Webinar - Dusan Baljevic
28
HP-UX 11i Glance and MeasureWare Logs
/var/opt/perf/parm is read by both the GlancePlus product and the MeasureWare products. Glance uses only the Application definitions size global=10, application=10, process=20, device=10, transaction=10 The sizes are in MB The logfiles are stored in /var/opt/perf/datafiles directory November 22, 2018 Webinar - Dusan Baljevic
29
HP-UX 11i Integrity VM Driver Log File
/var/opt/hpvm/common/hpvm_mon_log is limited to 1024 KB by default. When the log file grows larger than this, it is copied to a new file (hpvm_mon_log.$time) and an empty one is created for the new log To allow this log file to grow larger than 1024 KB, include the following line in /etc/rc.config.d/hpvmconf VMMLOGSIZE= # In KB Then, restart the daemon: # kill –HUP `cat /var/run/hpvmmonlogd.pid` November 22, 2018 Webinar - Dusan Baljevic
30
HP-UX 11i Integrity VM Guest Log File
/var/opt/hpvm/guests/guest_name/log file records guest start and stop information. These log files can grown very large To close the current log file, rename it, and open a new one: # hpvmconsole rec -rotate November 22, 2018 Webinar - Dusan Baljevic
31
Webinar - Dusan Baljevic
HP-UX 11i SMH * # cat /opt/hpsmh/conf.common/smhpd.xml <?xml version="1.0" encoding="UTF-8"?> <system-management-homepage> <admin-group></admin-group> <operator-group></operator-group> <user-group></user-group> <allow-default-os-admin>True</allow-default-os-admin> <anonymous-access>False</anonymous-access> <localaccess-enabled>False</localaccess-enabled> <localaccess-type>Anonymous</localaccess-type> <trustmode>TrustByCert</trustmode> <xenamelist></xenamelist> <ip-restricted-logins>False</ip-restricted-logins> <ip-restricted-include></ip-restricted-include> <ip-restricted-exclude></ip-restricted-exclude> <ip-binding>False</ip-binding> <ip-binding-list></ip-binding-list> <rotate-logs-size>N</rotate-logs-size> </system-management-homepage> Microsoft Windows version of SMH supports log file rotation: <rotate-logs-size>N</rotate-logs-size> The <rotate-logs-size> tag defines the HP SMH Rotate Logs file size. To change the Rotate Logs file size, you will need to edit the configuration file %SystemDrive%\hp\hpsmh\conf\smhpd.xml. You can define the <rotate-logs-size> tag using any value between 1 and 99, which represents the log size in megabytes. November 22, 2018 Webinar - Dusan Baljevic
32
Webinar - Dusan Baljevic
HP-UX 11i TCB Auditing It records instances of access by subjects to objects and allows detection of any (repeated) attempts to bypass the protection mechanism and any misuses of privileges audsys allows the user to start or halt the auditing system, to specify the auditing system "current" and "next" audit files (and their switch sizes), or to display auditing system status information. The "current" audit file is the file to which the auditing system writes audit records. When the "current" file grows to either its Audit File Switch (AFS) size or its File Space Switch (FSS) size (see audomon), the auditing system switches to write to the "next“ audit file # audsys Auditing system is currently on current file: /var/adm/audit/audfile1 next file: /var/adm/audit/audfile2 statistics afs Kb used Kb avail % fs Kb used Kb avail % current file: next file: Manual process for automated audsys log file rotation is necessary November 22, 2018 Webinar - Dusan Baljevic
33
Webinar - Dusan Baljevic
HP-UX 11i HIDS HIDS log files increase rapidly. However, the Configuration Change Console agent keeps log files truncated to save disk space. To ensure that the log files do not increase in file size while the agent is not running, run a script to periodically truncate the HIDS log files. A sample script to manage HIDS log files is provided. This script should be run from the crontab: #!/bin/sh filesize=`/bin/ls -l /var/opt/ids/alert.log | /bin/awk '{print $5}'` if [ "$filesize" -gt " " ] then mv /var/opt/ids/alert.log /var/opt/ids/alert.log_Dec_2008 fi rm /var/opt/ids/ids_1* Sample entry to configure the crontab to run every hour where the bold letters are replaced by the actual path of the trunclog.sh file: 0 * * * * /<location of script>/trunclog.sh 2>/dev/null 2>&1 IDS_ALERTFILE /var/opt/ids/alert.log IDS_ERRORFILE /var/opt/ids/error.log IDS_LISTEN_IFACE "“ IDS_RT_RESPONSE_DIR /opt/ids/rt_response IDS_RESPONSE_DIR /opt/ids/response They are defined as follows: IDS_ALERTFILE The full path name to the alert log file for this HP-UX HIDS agent process. Any alerts resulting from intrusive activity detected by the agent software will be logged to this file. IDS_ERRORFILE The full path name to the error log file for this HP-UX HIDS agent process. Any errors generated in the operation of the agent software will be logged to this file. IDS_LISTEN_IFACE The IP address or host name associated with the agent system’s network interface card. On a system with only one IP address, this parameter does not need to be specified. On a multihomed system (a system with more than one network interface card) this parameter is required. IDS_RT_RESPONSE_DIR The full path name to the automated response directory, containing executable binary or script programs that are executed on the agent node. These programs are executed when a real-time alert is generated and when both the Alert Aggregation and the Real Time Alerts options are enabled. The programs can take any actions that you deem appropriate. IDS_RESPONSE_DIR The full path name to the automated response directory containing executable binary or script programs that are executed on the agent node. These programs are executed either when alert aggregation is disabled and any alert is generated or when alert aggregation is enabled and an aggregated alert or an alert that is not or cannot be aggregated is generated. The programs can take any actions that you deem appropriate. November 22, 2018 Webinar - Dusan Baljevic
34
HP-UX 11i ServiceGuard Package Log File
SCRIPT_LOG_FILE (SG ) A new package attribute that allows a name to be assigned to a package log file Necessary for support of multiple packages sharing a common package control script Legacy Package Configuration SCRIPT_LOG_FILE /etc/cmcluster/pkga/pkga.log Modular Package Configuration script_log_file $SGRUN/log/$SG_PACKAGE.log November 22, 2018 Webinar - Dusan Baljevic
35
Webinar - Dusan Baljevic
HP-UX 11i ulimit # ulimit -a time(seconds) unlimited file(blocks) unlimited data(kbytes) stack(kbytes) memory(kbytes) unlimited coredump(blocks) nofiles(descriptors) 2048 Can be set globally or per user November 22, 2018 Webinar - Dusan Baljevic
36
Webinar - Dusan Baljevic
HP-UX 11i v3 coreadm * # coreadm global core file pattern: init(1M) core file pattern: global core dumps: disabled per-process core dumps: enabled global setid core dumps: disabled per-process setid core dumps: disabled * HP-UX 11i v3 and above November 22, 2018 Webinar - Dusan Baljevic
37
HP-UX cleanup - HP-UX patch cleanup utility
# cleanup –c 1 The cleanup command provides functions useful when dealing with HP-UX patches. The cleanup command logs all information to /var/adm/cleanup.log. November 22, 2018 Webinar - Dusan Baljevic
38
HP-UX savecrash utility
/etc/rc.config.d/savecrash CHUNK_SIZE Size of single crash image file (how big you want each of image.n.x, image.n.x+1, etc. to be). If not specified, savecrash will choose one based on the physical memory size of the system. Can be specified in bytes (b), kilobytes (k), megabytes (m), or gigabytes (g). The default unit is KB. See savecrash(1M) “–s” option for size constraints. COMPRESS: Whether you want the kernel and crash image files to be compressed. Little reminder about crashdumps in HP-UX when the server has multiple CPUs: One CPU per dump unit for an uncompressed dump. For example, to achieve 4-way parallelism (4 dump units) in an uncompressed dump, the system must have at least 4 CPUs. Five CPUs per dump unit for a compressed dump (4 CPUs compressing data and one CPU writing the data to the disks). November 22, 2018 Webinar - Dusan Baljevic
39
HP-UX Alternative Log File Tools (part 1/3)
Old but maybe still applicable bundle (needs to be tested): Shell script logrotate: Scripts based on Perl modules like Logfile-Rotate Perl-Logrotate: November 22, 2018 Webinar - Dusan Baljevic
40
HP-UX Alternative Log File Tools (part 2/3)
newsyslog project (old and possibly obsolete): logtrim by Bill Hassell (released in HP ITRC forum several years ago): Replace standard syslog daemon with Syslog-NG and SQL database: November 22, 2018 Webinar - Dusan Baljevic
41
HP-UX Alternative Log File Tools (part 3/3)
smartlog (very old bundles for HP-UX and only): Many other Shell scripts, for example: LogWatch: November 22, 2018 Webinar - Dusan Baljevic
42
Webinar - Dusan Baljevic
HP-UX Syslog-NG Syslog-NG and SQL database (MySQL, Microsoft SQL (MSSQL), Oracle, PostgreSQL, SQLite) Log rotation based on output filenames - Log output filenames can be based on templates names which support macro expansion. For example, if the output filename template contains the month macro, a new filename will created each month Often, syslog-ng is used for log file consolidation (centralized management) November 22, 2018 Webinar - Dusan Baljevic
43
Webinar - Dusan Baljevic
Conclusion Log file management is mostly managed reactively Majority of Unix admins I meet are not aware of OS-native tools that are designed for log file administration November 22, 2018 Webinar - Dusan Baljevic
44
Dusan Baljevic Sydney, Australia
Thank You! Dusan Baljevic Sydney, Australia
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.