• Choose a category
• All
• Classic-Fiction

Table 11.1 Log files on parade

a. Where: S = Syslog, H = Hardwired, F = Configuration file, C = Command line

Freq: D = Daily, W = Weekly, M = Monthly

Owner: R = root/system, U = uucp/daemon, N = news/news, D = daemon/daemon

b. passwd, login, and shutdown also write to the authorization log.

c. Specified on the command line in version 2.1; later versions use syslog.

d. Sometimes also maintained in a revised format as wtmpx.

Table 11.1 on the next page lists logs under their generic names; vendor-specific deviations begin on page 209. Not all files appear on all systems.

Filenames are relative to /var/adm or /var/log unless otherwise noted (however, files in the group called “extras” are locally installed and would follow your local conventions).

The character in the Where column tells how the log file is specified: S for programs that use syslog, C if logging options are set on the command line at boot time, F for programs that use a configuration file, and H if the filename is hardwired in code. Actual filenames may vary widely, especially for files maintained via syslog. The names listed in Table 11.1 are typical examples only.

The Freq column indicates our suggested cleanup frequency.

Log files usually have mode 644. Some sites reduce permissions to 640 or to 600; never give write permission to anyone but the owner. sulog, authlog, and sudo.log should have mode 600. mqueue/syslog and pacct are also good candidates for restrictive permissions.

11.3 FILES NOT TO MANAGE

You might be tempted to manage all log files with a rotation and archiving scheme. But there are two files that you should not touch: /var/adm/ lastlog and /etc/utmp. lastlog records each user’s last login and is a sparse file indexed by UID. It stays smaller if your UIDs are assigned in some kind of numeric sequence. Don’t copy lastlog or it will really use all the disk space that ls -l reports.

See the footnote on page 176 for more info about sparse files.

utmp attempts to keep a record of each user that is currently logged in. It is sometimes wrong, usually because a user’s shell was killed with an inappropriate signal and the parent of the shell did not clean up properly. utmp is often world-writable.

11.4 VENDOR SPECIFICS

Vendors seem to have hidden log files all over the disk. Careful detective work with your daemons’ config files and your syslog configuration file will find many of them. This section details some of the more obscure nooks and crannies in which log files have been hidden.

Solaris has the most disorganized collection of log files ever. With a directory called /var/log it shouldn’t be so hard. A few pointers:

• /var/log/*

• /var/cron/log

• /var/lp/logs/*

• /var/saf/_log

• /var/saf/zsmon/log

• /var/adm/{messages, aculog, sulog, vold.log, wtmpx}

• /var/adm/log/asppp.log

This last file is for the PPP protocol for dial-up network connections. Solaris 2.4 seemed to ship with logging to it turned on, even if you did not have the PPP software installed or in use. It filled with messages about the lack of connection paths.

See page 291 for more information about PPP.

You can run the vendor-supplied /usr/lib/newsyslog script out of cron to rotate the main log files, /var/adm/messages and /var/log/syslog.

HP-UX log files are in /var/adm. There are a lot of odd little mystery files in this directory, many of which are not log files, so be careful what you touch. The file nettl.LOG00 is a network control and statistics file; see man nettl for details. By default, all log entries submitted via syslog go into the /var/adm/syslog directory.

Red Hat gets a gold star for logging sanity. Not only are logs clearly named and consistently stored in /var/log, but Red Hat also provides a superior tool, logrotate, for rotating, truncating, and managing them. New software packages can drop a configuration file into the /etc/logrotate.d directory to set up a management strategy for their logs. What are you trying to do, Red Hat, put us all out of a job?

FreeBSD