2. Unix Log Files and Their Management
Tools - Present
• Most of the time, admins rely on Shell or Perl scripts
• As well, find command is commonly used for cleanups
March 1, 2014
Webinar - Dusan Baljevic
2
3. Unix Log Files and Their Management
Tools
Solaris logadm
Linux
logrotate
AIX
(built-in log file rotation and compression)
HP-UX (various tools)
March 1, 2014
Webinar - Dusan Baljevic
3
4. AIX syslog
• AIX has built-in log file rotation and compression. They are optional
fields
• Format
msg_src_list destination [rotate [size sizek|m] [files files] [time timeh|d|w|
m|y] [compress] [archive archive]]
msg_src_list is a semicolon separated list of facility.priority
facility all (except mark)
mark - time marks kern,user,mail,daemon, auth,...
priority is one of (from high to low):
emerg/panic,alert,crit,err(or),warn(ing),notice,info,debug
(meaning all messages of this priority or higher)
destination is:
/filename - log to this file
username[,username2...] - write to user(s)
@hostname - send to syslogd on this machine
March 1, 2014
Webinar - Dusan Baljevic
* - send to all logged in users
4
5. AIX syslog Features (part 1/2)
• If destination is a regular file and the word rotate is specified, then the
destination is limited by either size or time, or both. The backup filenames
are created by appending a period and a number to destination, starting
with .0. The time value causes the destination to be rotated after time. If
both time and size are specified, then logfiles will be rotated once the
logfile size exceeds size or the after time, whichever is earlier
• If the compress option is specified then the logfile names will be
generated with a .Z extension. The files keyword will be applicable to the
logfiles which are currently under rotation. For example, if we specify the
compress option, then only file with .Z extension will be under rotation and
the number of such files will be limited byfiles files. Any logfiles with an
extension other than .Z will not be under the rotation scheme and thus will
not be under the restriction of files files. Similarly if the compress option is
removed then the files which have been generated with .Z extension will
no longer be the part of rotation scheme and will not be limited by the files
files 1, 2014
March
Webinar - Dusan Baljevic
5
6. AIX syslog Features (part 2/2)
• The minimum size that can be specified is 10k. The minimum number of
files that can be specified is 2. The default size is 1MB and the default for
files is unlimited. Therefore, if only rotate is specified, the log will be
rotated with size = 1m. The compress option means that rotated log files
that are not in use will be compressed. The archive option will save
rotated log files that are not in use to archive. The default is not to rotate
log files
• The letter indicating the unit must immediately follow the number in the
syntax. For example, to specify the log rotation of every two days, the
phrase time “2d” is correct, but “2 d” is not
March 1, 2014
Webinar - Dusan Baljevic
6
7. AIX /etc/syslog.conf
• Example /e tc /s y s lo g . c o nf
*.info /var/adm/syslog/syslog.log
*.alert /var/adm/syslog/syslog.log
*.notice /var/adm/syslog/syslog.log
*.warning /var/adm/syslog/syslog.log
*.err /var/adm/syslog/syslog.log
*.crit /var/adm/syslog/syslog.log rotate time 1d files 9
daemon.debug /var/adm/ftpd.log rotate size 1024k files 5
March 1, 2014
Webinar - Dusan Baljevic
7
8. Linux logrotate
• It allows automatic rotation, compression, removal, and mailing of log
files. Each log file may be handled daily, weekly, monthly, or when it
grows too large.
Normally, lo g ro ta te is run as a daily cron job. It will not modify a log
multiple times in one day unless the formula for that log is based on the
logs size and lo g ro ta te is being run multiple times each day, or unless
the “-f” or “-fo rc e ” option is us e d .
• Cro n jo b /e tc /c ro n. d a ily /lo g ro ta te
#!/bin/sh /usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with
[$EXITVALUE]"
fi
March 1,
Webinar - Dusan Baljevic
exit 0 2014
8
10. Linux logrotate Command Usage
Usage: logrotate [OPTION...] <configfile>
-d, --debug
Don't do anything, just test (implies -v)
-f, --force
Force file rotation
-m, --mail=command Command to send mail (instead of `/bin/mail')
-s, --state=statefile
Path of state file
-v, --verbose
Display messages during rotation
Help options:
-?, --help
--usage
March 1, 2014
Show this help message
Display brief usage message
Webinar - Dusan Baljevic
10
11. Linux /etc/logrotate.d Directory
# ls /e tc /lo g ro ta te . d
bittorrent
fail2ban
squid
yum
nagios
samba
collectl
mgetty
syslog
cups
setroubleshoot tux
psacct
snmpd
March 1, 2014
munin-node
rpm
clamav-update httpd
squidGuard
zabbix
named
sa-update
mimedefang
ppp
dirmngr
munin
wpa_supplicant
Webinar - Dusan Baljevic
11
12. Linux /etc/logrotate.d Example
# c a t /e tc /lo g ro ta te . d /http d
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
postrotate
kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null
|| true
endscript
}
March 1, 2014
Webinar - Dusan Baljevic
12
13. Solaris logadm
• Starting from Solaris 9, there is a standard tool, called lo g a d m , to rotate
logs
• lo g a d m is an independent utility (unlike integrated in syslog daemon
capability that can be found in AIX). The lo g a d m command is a
preconfigured entry in the default crontab file supplied starting with
Solaris 9
•/us r/lib/ne ws y s lo g script is no longer used
• Before Solaris 9 there was FreeBSD-style tool ne ws y s lo g located in
/usr/lib and Perl script ro ta te lo g . It was run from cron. For Solaris 8 and
earlier download the tar.gz file, untar it, go in the new directory, and
execute m a ke ins ta ll. It will install /us r/lo c a l/s bin/ro ta te lo g and
/us r/lo c a l/e tc /ro ta te lo g . c o nf
March 1, 2014
Webinar - Dusan Baljevic
13
14. Solaris /etc/logadm.conf (part 1/2)
lo g a d m . c o nf specifies the schedule for log rotation and
options with which rotation will be performed. The default
configuration:
/var/log/syslog -C 8 -P 'Sun Sep 14 17:10:00 2008' -a 'kill
-HUP `cat /var/run/syslog.pid`‘
/var/adm/messages -C 4 -P 'Fri Sep 12 17:10:00 2008' -a 'kill
-HUP `cat /var/run/syslog.pid`'
/var/cron/log -P 'Fri Aug 22 17:10:00 2008' -c -s 512k -t
/var/cron/olog
/var/lp/logs/lpsched -C 2 -N -t '$file.$N'
March 1, 2014
Webinar - Dusan Baljevic
14
16. Solaris logadm Command Usage (part
1/3)
Usage: logadm [options]
(processes all entries in /etc/logadm.conf or conffile given by -f)
or: logadm [options] logname... (processes the given lognames)
General options:
-e mailaddr mail errors to given address
-f conffile
use conffile instead of /etc/logadm.conf
-h
display help
-N
not an error if log file nonexistent
-n
show actions, don't perform them
-r
remove logname entry from conffile
-V
ensure conffile entries exist, correct
-v
print info about actions happening
-w entryname write entry to config file
March 1, 2014
Webinar - Dusan Baljevic
16
17. Solaris logadm Command Usage (part
2/3)
Options which control when a logfile is rotated:
(default is: -s1b -p1w if no -s or -p)
-p period
only rotate if period passed since last rotate
-P timestamp used to store rotation date in conffile
-s size
only rotate if given size or greater
Options which control how a logfile is rotated:
(default is: -t '$file.$n', owner/group/mode taken from log file)
-a cmd
execute cmd after taking actions
-b cmd
execute cmd before taking actions
-c
copy & truncate logfile, don't rename
-g group
new empty log file group
-l
rotate log file with local time rather than UTC
-m mode
new empty log file mode
-M cmd
execute cmd to rotate the log file
-o owner
new empty log file owner
-R cmd
run cmd on file after rotate
-t template template for naming old logs
-z count
gzip old logs except most recent count
March 1, 2014
Webinar - Dusan Baljevic
17
18. Solaris logadm Command Usage (part
3/3)
Options which control the expiration of old logfiles:
(default is: -C10 if no -A, -C, or -S)
-A age
expire logs older than age
-C count
expire old logs until count remain
-E cmd
run cmd on file to expire
-S size
expire until space used is below size
-T pattern pattern for finding old logs
March 1, 2014
Webinar - Dusan Baljevic
18
19. Solaris logadm and Timezone
• By default, lo g a d m works in GMT. All entries written to
the /e tc /lo g a d m . c o nf file will have a GMT timestamp
• Use the “-l” option to set lo g a d m to local time
March 1, 2014
Webinar - Dusan Baljevic
19
20. Solaris logadm – Example for wtmpx
• Add into /e tc /lo g a d m . c o nf
/var/adm/utmpx -C 12 -P ‘Mon Oct 13 17:00:00 2008' -s 100m -z 0
"-C 12" means it will preserve 12 versions of the log file
"-P .." means when to first start processing the log file
"-s 100m" defines the maximum size of the log file before it is rotated
"-z 0" sets the gzip compression
• Run command:
# lo g a d m
• Check it:
# lo g a d m -V
March 1, 2014
Webinar - Dusan Baljevic
20
21. HP-UX 11i syslogd
• HP-UX
11i v1 and earlier do not have log file automation
• HP-UX 11.23 and later s y s lo g d logs messages into a set of
files. Once the size of a log file reaches 2 GB, syslogd stops
logging to that file. Configure the maximum size of syslogd
log files by setting the variable LOG_SIZE in
/e tc /d e fa ult/s y s lo g d
The value of LOG_SIZE can be any positive integer greater
than 2, representing the maximum size of the file in GB.
When LOG_SIZE=NOLIMIT, syslogd uses the limit imposed
by the file system on file size
March 1, 2014
Webinar - Dusan Baljevic
21
22. HP-UX 11i syslogd Simple Rotation
# /s bin/init. d /s y s lo g d s to p
# /sbin/init.d/syslogd start
It will rename s y s lo g . lo g to O LDs y s lo g . lo g in
/v a r/a d m /s y s lo g directory.
March 1, 2014
Webinar - Dusan Baljevic
22
23. HP-UX 11i Other RC Cleanups
• /e tc /rc . c o nfig . d /c le a n_ tm p for /tm p cleanup at boot
CLEAR_TMP=1
• /e tc /rc . c o nfig . d /c le a n
CLEAN_ADM=1
CLEAN_UUCP=1
/va r/a d m /s ulo g /va r/a d m /d ia g lo g /va r/a d m /m e s s a g e s
renamed to OLD*
• /e tc /rc . c o nfig . d /c le a n_ uuc p
CLEAN_UUCP=1
March 1, 2014
uuclean(1m) at boot
Webinar - Dusan Baljevic
23
24. HP-UX 11i Examples of Log Directories
and Files
• Examples
of log files that can grow out of bounds:
/va r/s p o o l/lp
/va r/a d m /lp
/va r/o p t/p e rf/d a ta file s
lo s t+ fo und directories in top-level of each file system
/va r/a d m /d ia g
/va r/o p t/ig nite
/va r/s tm /lo g s /s y s *
/var/adm/wtmp
/var/adm/wtmps
/var/adm/btmp
/var/adm/sw
(others truncated for the sake of brevity)
March 1, 2014
Webinar - Dusan Baljevic
24
25. HP-UX 11i auto_parms.log
• /e tc /a uto _ p a rm s . lo g is updated by auto_parms(1m)
command that handles first-boot configuration
(setting of unique system “initial identity
parameters”), and ongoing management of DHCP
leases
• auto_parms(1m) saves old copy into
/e tc /a uto _ p a rm s . lo g . o ld
March 1, 2014
Webinar - Dusan Baljevic
25
26. HP-UX 11i rc.log
• Run Command (RC) scripts update /e tc /rc . lo g at
boot time
• At reboot, previous version of /e tc /rc . lo g is
renamed to /e tc /rc . lo g . o ld
March 1, 2014
Webinar - Dusan Baljevic
26
27. HP-UX 11i EMS Logs
• The EMS log files in /e tc /o p t/re s m o n/lo g are limited to 500
KB in size and are then moved to <logfile>.old. The previous
*.old gets lost
• The limit of 500 KB per logfile can be removed by creating
the file /e tc /o p t/re s m o n/unlim ite d _ lo g
• Be careful with creating the unlim ite d _ lo g . Growing EMS log
files can easily fill up root file system
March 1, 2014
Webinar - Dusan Baljevic
27
28. HP-UX 11i Glance and MeasureWare
Logs
• /va r/o p t/p e rf/p a rm is read by both the GlancePlus product
and the MeasureWare products. Glance uses only the
Application definitions
size global=10, application=10, process=20, device=10, transaction=10
The sizes are in MB
• The logfiles are stored in /va r/o p t/p e rf/d a ta file s directory
March 1, 2014
Webinar - Dusan Baljevic
28
29. HP-UX 11i Integrity VM Driver Log File
• /va r/o p t/hp vm /c o m m o n/hp vm _ m o n_ lo g is limited to 1024
KB by default. When the log file grows larger than this, it is
copied to a new file (hp vm _ m o n_ lo g . $ tim e ) and an empty
one is created for the new log
• To allow this log file to grow larger than 1024 KB, include
the following line in /e tc /rc . c o nfig . d /hp vm c o nf
VMMLOGSIZE=10420
# In KB
Then, restart the daemon:
# kill – HUP ` c a t /va r/run/hp vm m o nlo g d . p id `
March 1, 2014
Webinar - Dusan Baljevic
29
30. HP-UX 11i Integrity VM Guest Log File
• /va r/o p t/hp vm /g ue s ts /g ue s t_ na m e /lo g file records
guest start and stop information. These log files can
grown very large
To close the current log file, rename it, and open a
new one:
# hp vm c o ns o le re c -ro ta te
March 1, 2014
Webinar - Dusan Baljevic
30
31. HP-UX 11i SMH *
# c a t /o p t/hp s m h/c o nf. c o m m o n/s m hp d . x m l
<?xml version="1.0" encoding="UTF-8"?>
<system-management-homepage>
<admin-group></admin-group>
<operator-group></operator-group>
<user-group></user-group>
<allow-default-os-admin>True</allow-default-os-admin>
<anonymous-access>False</anonymous-access>
<localaccess-enabled>False</localaccess-enabled>
<localaccess-type>Anonymous</localaccess-type>
<trustmode>TrustByCert</trustmode>
<xenamelist></xenamelist>
<ip-restricted-logins>False</ip-restricted-logins>
<ip-restricted-include></ip-restricted-include>
<ip-restricted-exclude></ip-restricted-exclude>
<ip-binding>False</ip-binding>
<ip-binding-list></ip-binding-list>
<rotate-logs-size>N</
rotate-logs-size>
</system-management-homepage>
March 1, 2014
Webinar - Dusan Baljevic
31
32. HP-UX 11i TCB Auditing
• It records instances of access by subjects to objects and allows detection of any
(repeated) attempts to bypass the protection mechanism and any misuses of
privileges
• a ud s y s allows the user to start or halt the auditing system, to specify the auditing
system "current" and "next" audit files (and their switch sizes), or to display
auditing system status information. The "current" audit file is the file to which the
auditing system writes audit records. When the "current" file grows to either its
Audit File Switch (AFS) size or its File Space Switch (FSS) size (see a ud o m o n),
the auditing system switches to write to the "next“ audit file
# audsys
Auditing system is currently on
current file: /var/adm/audit/audfile1
next file: /var/adm/audit/audfile2
statisticsafs Kb used Kb avail % fs Kb
used Kb avail %
current file: 10000
0
100 4825088 963704
80
next file: 10000
0
100 4825088 963704
80
March 1, 2014
Webinar - Dusan Baljevic
32
33. HP-UX 11i HIDS
HIDS log files increase rapidly. However, the Configuration Change Console
agent keeps log files truncated to save disk space. To ensure that the log files do
not increase in file size while the agent is not running, run a script to periodically
truncate the HIDS log files.
A sample script to manage HIDS log files is provided. This script should be run
from the crontab:
#!/bin/s h
file s iz e = ` /bin/ls -l /va r/o p t/id s /a le rt. lo g | /bin/a wk '{p rint $ 5 }'`
if [ " $ file s iz e " -g t " 5 0 0 0 0 0 0 " ]
the n
m v /v a r/o p t/id s /a le rt. lo g /va r/o p t/id s /a le rt. lo g _ De c _ 2 0 0 8
fi
rm /va r/o p t/id s /id s _ 1 *
Sample entry to configure the crontab to run every hour where the bold letters are
replaced by the actual path of the trunclog.sh file:
0 * * * * /<location of script>/trunclog.sh 2>/dev/null 2>&1
March 1, 2014
Webinar - Dusan Baljevic
33
34. HP-UX 11i ServiceGuard Package Log
File
SCRIPT_LOG_FILE (SG 11.17+) A new package attribute
that allows a name to be assigned to a package log file
Necessary for support of multiple packages sharing a
common package control script
Legacy Package Configuration
SCRIPT_LOG_FILE /e tc /c m c lus te r/p kg a /p kg a . lo g
Modular Package Configuration
script_log_file
$ SG RUN g /$ SG _ PA
/lo
CKA E. lo g
G
March 1, 2014
Webinar - Dusan Baljevic
34
35. HP-UX 11i ulimit
# ulim it -a
time(seconds)
unlimited
file(blocks)
unlimited
data(kbytes)
1048576
stack(kbytes)
8192
memory(kbytes)
unlimited
coredump(blocks) 4194303
nofiles(descriptors) 2048
March 1, 2014
Webinar - Dusan Baljevic
35
36. HP-UX 11i v3 coreadm *
# c o re a d m
global core file pattern:
init(1M) core file pattern:
global core dumps:
disabled
per-process core dumps:
enabled
global setid core dumps:
disabled
per-process setid core dumps: disabled
March 1, 2014
Webinar - Dusan Baljevic
36
37. HP-UX cleanup - HP-UX patch cleanup
utility
# c le a nup – c 1
The cleanup command provides functions useful when
dealing with HP-UX patches.
The cleanup command logs all information to
/var/adm/cleanup.log.
March 1, 2014
Webinar - Dusan Baljevic
37
38. HP-UX savecrash utility
/etc/rc.config.d/savecrash
CHUNK_SIZE Size of single crash image file (how big you want each of
image.n.x, image.n.x+1, etc. to be).
If not specified, savecrash will choose one based on the
physical memory size of the system. Can be specified in
bytes (b), kilobytes (k), megabytes (m), or gigabytes (g).
The default unit is KB.
See savecrash(1M) “–s” option for size constraints.
COMPRESS:
March 1, 2014
Whether you want the kernel and crash image files to be
compressed.
Webinar - Dusan Baljevic
38
39. HP-UX Alternative Log File Tools
(part 1/3)
• Old
but maybe still applicable bundle (needs to be tested):
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/logrotate-2.5/
• Shell script logrotate:
http://iain.cx/src/logrotate/
• Scripts based on Perl modules like Logfile-Rotate
•Perl-Logrotate:
http://freshmeat.net/projects/perl-logrotate
March 1, 2014
Webinar - Dusan Baljevic
39
40. HP-UX Alternative Log File Tools
(part 2/3)
• newsyslog project (old and possibly obsolete):
http://www.weird.com/~woods/projects/newsyslog.html
• logtrim by Bill Hassell (released in HP ITRC forum several years ago):
http://forums11.itrc.hp.com/service/forums/questionanswer.d
o?
threadId=1053445&admit=109447626+1221799837763+283
53475
• Replace standard syslog daemon with Syslog-NG and SQL database:
http://www.balabit.com/network-security/syslogng/features/detailed
March 1, 2014
Webinar - Dusan Baljevic
40
41. HP-UX Alternative Log File Tools
(part 3/3)
• smartlog (very old bundles for HP-UX 10.20 and 11.00 only):
http://gatekeep.cs.utah.edu/hppd/hpux/Sysadmin/smartlog3.5/
• Many other Shell scripts, for example:
http://www.zazzybob.com/bin/logrevolver.sh.html
• LogWatch:
http://www2.logwatch.org:81/
March 1, 2014
Webinar - Dusan Baljevic
41
42. HP-UX Syslog-NG
• Syslog-NG and SQL database (MySQL, Microsoft SQL
(MSSQL), Oracle, PostgreSQL, SQLite)
• Log
rotation based on output filenames - Log output
filenames can be based on templates names which support
macro expansion. For example, if the output filename
template contains the month macro, a new filename will
created each month
• Often, s y s lo g -ng is used for log file consolidation
(centralized management)
March 1, 2014
Webinar - Dusan Baljevic
42
43. Conclusion
• Log file management is mostly managed reactively
• Majority of Unix admins I meet are not aware of OS-native
tools that are designed for log file administration
March 1, 2014
Webinar - Dusan Baljevic
43
NAME
logadm - manage endlessly growing log files
SYNOPSIS
logadm [-options] logname...
DESCRIPTION
logadm is a general log rotation tool that is suitable for running from cron(1M).
Without arguments, logadm reads the /etc/logadm.conf file, and, for every entry found in that file, checks the
corresponding log file to see if it should be rotated. Typically this check is done each morning by an entry in the
root&apos;s crontab(1).
If the logname argument is specified, logadm renames the corresponding log file by adding a suffix so that the most
recent log file ends with .0 (that is, logfile.0), the next most recent ends with .1 (that is, logfile.1), and so forth.
By default, ten versions of old log files are kept (that is, logfile.0 through logfile.9). At the point when what would
be the eleventh file is logged,logadm automatically deletes the oldest version to keep the count of files at ten.
logadm takes a number of options. You can specify these options on the command line or in the /etc/logadm.conf file.
The logadm command searches /etc/logadm.conf for lines of the form logname options
logname Identifies an entry in
/etc/logadm.conf. This can be a
name or the pathname of the log
file. If you specify a log file,
rather than a name, for this
field, it must be a fully quali-
fied pathname.
options Identifies command line options
exactly as they would be entered
on the command line. This allows
commonly used log rotation poli-
cies to be stored in the
/etc/logadm.conf file. See EXAMPLES.
If options are specified both in
/etc/logadm.conf and on the com-
mand line, those in the
/etc/logadm.conf file are
applied first. Therefore, the
command line options override
those in /etc/logadm.conf.
Log file names specified in
/etc/logadm.conf can contain
filename substitution characters
such as * and ?, that are sup-
ported by csh(1).
Two options control when a log file is rotated. They are: -s size -p period.
When using more than one of these options at a time, there is an implied and between them. This means that all conditions
must be met before the log is rotated.
If neither of these two options are specified, the default conditions for rotating a log file are: -s 1b -p 1w, which
means the log file is only rotated if the size is non-zero and if at least 1 week has passed since the last time it was
rotated.
By specifying -p never as a rotation condition, any other rotation conditions are ignored and logadm moves on to the
expiration of old log files. By specifying -p now as a rotation condition, a log rotation is forced.
Unless specified by the -o, -g, or -m options, logadm replaces the log file (after renaming it) by creating an
empty file whose owner, group ID, and permissions match the original file.
Three options control when old log files are expired: -A age -C count -Ssize. These options expire the oldest log files
until a particular condition or conditions are met. For example, the combination -C 5 and the -S 10m options expires
old log files until there are no more than 5 of the and their combined disk usage is no more than 10 megabytes. If
none of these options are specified, the default expiration s -C 10 which keeps ten old log files. If no files are to be
expired, use -C 0 to prevent expiration by default.
OPTIONS
The following options are supported:
-a post_command Execute the post_command after renaming
the log file. post_command is passed to sh -c.
Specify post_command as a valid shell
command. Use quotes to protect spaces or
shell metacharacters in post_command.
This option can be used to restart a
daemon that is writing to the file. When
rotating multiple logs with one logadm
command, post_command is executed only
once after all the logs are rotated, not
once per rotated log.
-A age Delete any versions that have not been
modified for the amount of time speci-
fied by age.
Specify age as a number followed by an h
(hours), d (days), w(weeks), m (months),
or y (years).
-b pre_command Execute pre_command before renaming the
log file. pre_command is passed to sh
-c.
Specify pre_command as a valid shell
command. Use quotes to protect spaces or
shell metacharacters in the pre_command.
This option can be used to stop a daemon
that is writing to the file. When rotat-
ing multiple logs with one logadm com-
mand, pre_command is executed only once
before all the logs are rotated, not
once per rotated log.
-c Rotate the log file by copying it and
truncating the original logfile to zero
length, rather than renaming the file.
-C count Delete the oldest versions until there
are not more than count files left.
If no expire options (-A, -C, or -S) are
specified, -C 10 is the default. To
prevent the default expire rule from
being added automatically, specify -C 0.
-e mail_addr Send error messages by email to
mail_addr.
As logadm is typically run from
cron(1M), error messages are captured by
cron and mailed to the owner of the
crontab.
This option is useful you want the mail
regarding error messages to go to
another address instead. If no errors
are encountered, no mail message is gen-
erated.
-E cmd Execute cmd to expire the file, rather
than deleting the old log file to expire
it.
cmd is passed it to sh -c. The file is
considered expired after cmd completes.
If the old log file is not removed or
renamed by the cmd, logadm considers it
for expiration the next time that it
runs on the specified log file. If
present, the keyword $file is expanded
in the specified cmdto the name of the
file being expired.
This option is useful for tasks such as
mailing old log files to administrators,
or copying old log files to long term
storage.
-f conf_file Use conf_file instead of
/etc/logadm.conf.
This option allows non-root users to
keep their own logadm configuration
files.
-g group Create a new empty file with the ID
specified by group, instead of preserv-
ing the group ID of the log file.
Specify group by name or by numeric
group ID, as accepted by chgrp(1).
This option requires the ability to
change file group ownership using the
chgrp(1) command.
-h Print a help message that describes
logadm&apos;s options.
-l Use local time rather than the Coordi-
nated Universal Time (UTC) when naming
rotated log files (see the discussion of
percent sequences in the templates sup-
plied with the -t option).
-m mode Create a new empty file with the mode
specified by mode, instead of preserving
the mode of the log file.
Specify mode in any form that is
accepted by the chmod(1) command.
-M cmd Use cmd to rename the log file. If the
keyword $file is specified, it is
expanded to the name of the log file.
Similarly, the keyword $nfile is
expanded to the new name of the log
file. The $nfile keyword is only avail-
able with commands provided with the -M
option. After the command completes, the
log file is replaced by the rotate file.
The default cmd is &quot;/bin/mv $file
$nfile&quot;.
-n Print the actions that the logadm com-
mand will perform without actually per-
forming them.
This option is useful for checking argu-
ments before making any changes to the
system.
It is important to remember, however,
that since log rotating actions are only
printed with this option, logadm might
not find files that need expiring, but
if run without the -n logadm might
create a file that needs expiring by
performing the log rotating actions.
Therefore, if you see no files being
expired with the -n option, files still
might be expired without it.
-N Prevent an error message if the speci-
fied logfile does not exist. Normally,
logadm produces an error message if the
log file is not found. With -N, if the
log file doesn&apos;t exist logadm moves on
to the expire rules (if any) and then to
the next log file (if any), without
creating the empty replacement log file.
-o owner Create the new empty file with owner,
instead of preserving the owner of the
log file.
Specify owner in any form that is
accepted by the chown(1) command.
-p period Rotate a log file after the specified
time period (period) .
Specify period as a number followed by d
for days, h for hours, w for weeks, m
for months (really 30 days) or y for
years. There are also two special values
for period: now and never. -p now forces
log rotation. -p never forces no log
rotation.
-P timestamp Used by logadm to record the last time
the log was rotated in /etc/logadm.conf.
This option uses timestamp to determine
if the log rotation period has passed.
The format of timestamp matches the for-
mat generated by ctime(3C), with quotes
around it to protect embedded spaces.
timestamp is always recorded in the
Coordinated Universal Time (UTC)
timezone.
-r Remove any entries corresponding to the
specified logname from the
/etc/logadm.conf.
-R cmd Run the cmd when an old log file is
created by a log rotation. If the key-
word $file is embedded in the specified
command, it is expanded to the name of
the old log file just created by log
rotation.
This option is useful for processing log
file contents after rotating the log.
cmd is executed by passing it to sh -c.
When rotating multiple logs with one
logadm command, the command supplied
with -R is executed once every time a
log is rotated. This is useful for
post-processing a log file (that is,
sorting it, removing uninteresting
lines, etc.). The -a option is a better
choice for restarting daemons after log
rotation.
-s size Rotate the log file only if its size is
greater than or equal to size.
Specify size as a number followed by the
letter b for bytes, k for kilobytes, m
for megabytes, or g for gigabytes.
-S size Delete the oldest versions until the
total disk space used by the old log
files is less than the specified size.
Specify size as a number followed by the
letter b for bytes, k for kilobytes, m
for megabytes, or g for gigabytes.
-t template Specify the template to use when renam-
ing log files.
template can be a simple name, such as
/var/adm/oldfile, or it can contain spe-
cial keywords which are expanded by
logadm and are in the form $word.
Allowed sequences are:
$file The full
path name of
the file to
be rotated
$dirname The direc-
tory of the
file to be
rotated
$basename The log file
name,
without the
directory
name
$n The version
number, 0 is
most recent,
1 is next
most recent,
and so forth
$N The same as
$n, but
starts at 1
instead of
zero
$secs The number
of seconds
since
00:00:00
UTC, January
1,1970
$nodename Expands to
the output
of uname -n
$platform Expands to
the output
of uname -i
$isa Expands to
the output
of uname -p
$release Expands to
the output
of uname -r
$machine Expands to
the output
of uname -m
$domain Expands to
the output
of domain-
name
To actually have the dollar sign charac-
ter in the file name, use $$. Any per-
cent sequences allowed by strftime(3C)
are also allowed, for example, %d
expands to the day of the month. To
actually have a percent sign character
in the file name, use %%. Both dollar-
sign keywords and percent sequences can
appear anywhere in the template. If the
template results in a pathname with
non-existent directories, they are
created as necessary when rotating the
log file.
If no –t option is specified, the default
template is $file.$n. Actual rotation of
log files, where each version is shifted
up until it expires is done using the $n
keyword. If the template does not con-
tain the $n keyword, the log file is
simply renamed to the new name and then
the expire rules, if any, are applied.
-T pattern Normally logadm looks for a list of old
log files by turning the template
(specified with the -t option) into a
pattern and finding existing files whose
names match that pattern. The -T option
causes the given pattern to be used
instead.
This option is useful if another program
fiddles with the old log file names,
like a cron job to compress them over
time. The pattern is in the form of a
pathname with special characters such as
* and ? as supported by csh(1) filename
substitution.
-v Print information about the actions
being executed in verbose mode.
-V Validate the configuration file.
This option validates that an entry for
the specified logname exists in the
/etc/logadm.conf file and is syntacti-
cally correct. If logname is not speci-
fied, all entries in the configuration
file are validated. If a logname argu-
ment is specified, the command validates
the syntax of that entry. If the entry
is found, it is printed and the exit
value of the command is true. Otherwise
the exit value is false.
-w entryname Write an entry into the config file
(that is, /etc/logadm.conf) that
corresponds to the current command line
arguments. If an entry already existed
for the specified entryname, it is
removed first. This is the preferred
method for updating /etc/logadm.conf,
because it prevents syntax errors in
that file. The entryname is an argument
to an invocation of logadm. The
entryname might be chosen as something
easy to remember or it can be the path-
name ofthe log file.
If no log file name is provided on a
logadm command line, the entry name is
assumed to be the same as the log file
name. For example, the following two
lines achieve the same result, keeping
two copies of rotated log files:
% logadm -C2 -w mylog /my/really/long/log/file/name
% logadm -C2 -w /my/really/long/log/file/name
-z count Compress old log files as they are
created. count of the most recent log
files are left uncompressed, therefore
making the count most recent files
easier to peruse. Use count of zero to
compress all old logs.
The compression is done with gzip(1) and
the resulting log file has the suffix of .gz.
OPERANDS
The following operands are supported:
logname Identifies the name of the entry
in /etc/logadm.conf. If the log
file name is specified in the
logname field, it is assumed
that logname is the same as the
actual log file name.
EXAMPLES
Example 1 Rotating a File and Keeping Previous Versios
The following example rotates the /var/adm/exacct/proc file,
keeping ten previous versions in /var/adm/exacct/proc.0
through /var/adm/exacct/proc.9.
Tell logadm to copy the file and truncate it.
% logadm -c /var/adm/exacct/proc
Example 2 Rotating syslog
The following example rotates syslog and keeps eight log
files. Old log files are put in the directory /var/oldlogs
instead of /var/log:
% logadm -C8 -t&apos;/var/oldlogs/syslog.$n&apos; /var/log/syslog
Example 3 Rotating /var/adm/sulog and Expiring Based on Age
The following entry in the /etc/logadm.conf file rotates the
/var/adm/sulog file and expires any copies older than 30
days.
/var/adm/sulog -A 30d
Example 4 Rotating Files and Expiring Based on Disk Usage
The following entry in the /etc/logadm.conf file rotates the
/var/adm/sulog file and expires old log files when more than
100 megabytes are used by the sum of all the rotated log
files.
/var/adm/sulog -S 100m
Example 5 Creating an Entry that Stores the Logfile Name
This example creates an entry storing the log file name and
the fact that we want to keep 20 copies in /etc/logadm.conf,
but the -p never means the entry is ignored by the normal
logadm run from root&apos;s crontab every morning.
% logadm -w locallog /usr/local/logfile -C20 -p never
Use the following entry on the command line to override the
-p never option:
% logadm -p now locallog
Example 6 Rotating the apache Error and Access Logs
The following example rotates the apache error and access
logs monthly to filenames based on current year and month.
It keeps the 24 most recent copies and tells apache to res-
tart after renaming the logs.
This command is run once, and since the -w option is speci-
fied, an entry is made in /etc/logadm.conf so the apache
logs are rotated from now on.
% logadm -w apache -p 1m -C 24
-t &apos;/var/apache/old-logs/$basename.%Y-%m&apos;
-a &apos;/usr/apache/bin/apachectl graceful&apos;
&apos;/var/apache/logs/*{access,error}_log&apos;
This example also illustrates that the entry name supplied
with the -w option doesn&apos;t have to match the log file name.
In this example, the entry name is apache and once the line
has been run, the entry in /etc/logadm.conf can be forced to
run by executing the following command:
% logadm -p now apache
Because the expression matching the apache log file names
was enclosed in quotes, the expression is stored in
/etc/logadm.conf, rather than the list of files that it
expands to. This means that each time logadm runs from cron
it expands that expression and checks all the log files in
the resulting list to see if they need rotating.
The following command is an example without the quotes
around the log name expression. The shell expands the last
argument into a list of log files that exist at the time the
command is entered, and writes an entry to /etc/logadm.conf
that rotates the files.
logadm -w apache /var/apache/logs/*_log
NOTES
When logadm applies expire conditions (supplied by the -A,
-C, and -S options), it deletes files, the oldest first,
until the conditions are satisfied. If the template used for
naming the old logs contained $n or $N, logadm picks the
highest value of $n or $N found in the old log file names
first. If the template used is something else, logadm uses
the modification time to determine which files to expire
first. This might not be the expected behavior if an old log
file has been modified since it was rotated.
Note that, depending on log file sizes and number of log
files, log file rotations can be very time-consuming.
PREV_OLDSYSLOG_LINES: The number of kilo lines that should be carried
from the previous /var/adm/syslog/OLDsyslog.log along with the contents of previous
/var/adm/syslog/syslog.log to the current /var/adm/syslog/OLDsyslog.log. The value should
strictly be a number. Default is 0 which makes the present OLDsyslog.log contain only the previous
syslog.log contents.
* I once had a call to help with a critical case for a customer who had diaglogd_activity_log larger than 2 GB
(activity log of a MESA diagnostics daemon). It remained a mystery why level-1 and level-2 teams
did not detect this out-of-bounds growth.
Microsoft Windows version of SMH supports log file rotation:
&lt;rotate-logs-size&gt;N&lt;/rotate-logs-size&gt;
The &lt;rotate-logs-size&gt; tag defines the HP SMH Rotate Logs file size.
To change the Rotate Logs file size, you will need to edit the configuration file
%SystemDrive%hphpsmhconfsmhpd.xml.
You can define the &lt;rotate-logs-size&gt; tag using any value between 1 and 99,
which represents the log size in megabytes.
Manual process for automated audsys log file rotation is necessary
IDS_ALERTFILE /var/opt/ids/alert.log
IDS_ERRORFILE /var/opt/ids/error.log
IDS_LISTEN_IFACE &quot;“
IDS_RT_RESPONSE_DIR /opt/ids/rt_response
IDS_RESPONSE_DIR /opt/ids/response
They are defined as follows:
IDS_ALERTFILE
The full path name to the alert log file for this HP-UX HIDS agent process. Any alerts resulting from intrusive activity detected by the agent software will be logged to this file.
IDS_ERRORFILE
The full path name to the error log file for this HP-UX HIDS agent process. Any errors generated in the operation of the agent software will be logged to this file.
IDS_LISTEN_IFACE
The IP address or host name associated with the agent system’s network interface card.
On a system with only one IP address, this parameter does not need to be specified.
On a multihomed system (a system with more than one network interface card) this parameter is required.
IDS_RT_RESPONSE_DIR
The full path name to the automated response directory, containing executable binary or script programs that are executed on the agent node. These programs are executed when a real-time alert is generated and when both the Alert Aggregation and the Real Time Alerts options are enabled. The programs can take any actions that you deem appropriate.
IDS_RESPONSE_DIR
The full path name to the automated response directory containing executable binary or script programs that are executed on the agent node. These programs are executed either when alert aggregation is disabled and any alert is generated or when alert aggregation is enabled and an aggregated alert or an alert that is not or cannot be aggregated is generated. The programs can take any actions that you deem appropriate.
Can be set globally or per user
* HP-UX 11i v3 and above
Little reminder about crashdumps in HP-UX when the server has multiple CPUs:
One CPU per dump unit for an uncompressed dump. For example,
to achieve 4-way parallelism (4 dump units) in an uncompressed dump,
the system must have at least 4 CPUs.
Five CPUs per dump unit for a compressed dump (4 CPUs compressing data
and one CPU writing the data to the disks).