This section describes the resident daemon, hclfmd,that performs log file management. This resident daemon runs as root. It starts at boot time and performs the following functions:
It parses the list of log files in /etc/syslog.conf for file paths that do not start with /dev (files associated with system devices) and performs a cleanup, journal, and cycle pass every day.
For every log file written by syslogd, it performs the following functions:
It renames the existing log file and creates a new daily log.
It sends the restart signal (-HUP) to the syslog daemon to create a new daily log.
It generates a weekly archive by compressing daily log files every week and stores it as name.YYYYMMDD-YYYYMMDD.tar.z.
It discards weekly archives that are more than a month old.
It obtains the location of audit logs from /etc/security/audit_control and performs a cleanup, journal, and cycle pass every day.
It performs the following functions for every locally mounted audit directory:
It executes audit -n to create a new daily log. This signals the audit directory to close the current audit file and open a new audit file in the current audit directory.
It generates a weekly archive by compressing daily log files every week and stores it as audit.YYYYMMDD-YYYYMMDD.tar.z.
It discards weekly archives that are more than a month old.
It performs an intrusion detection check every 10 minutes.
It detects and reports every failed authorization entry in syslog files.
By default, /etc/opt/SUNWisp/hc/hclfmd.conf is configured to send mail to root for every failed authorization attempt entered in syslog.
You may re-configure this file. By default, it is configured as follows: /var/log/badauth:/usr/bin/mailx -s "%f" root < %c where:
/var/log/badauth is the file where the entries are made.
/usr/bin/mailx -s is the command to send mail to root.
"%f" is the subject-line of the mail, containing the name of the file where the entries were detected, and
"%c" is the new content of the syslog file.