Log File Management (Solaris for ISPs Administration Guide)

Solaris for ISPs Administration Guide

Log File Management

This section describes the resident daemon, hclfmd,that performs log file management. This resident daemon runs as root. It starts at boot time and performs the following functions:

It parses the list of log files in /etc/syslog.conf for file paths that do not start with /dev (files associated with system devices) and performs a cleanup, journal, and cycle pass every day.

For every log file written by syslogd, it performs the following functions:
- It renames the existing log file and creates a new daily log.
- It sends the restart signal (-HUP) to the syslog daemon to create a new daily log.
- It generates a weekly archive by compressing daily log files every week and stores it as name.YYYYMMDD-YYYYMMDD.tar.z.
- It discards weekly archives that are more than a month old.
It obtains the location of audit logs from /etc/security/audit_control and performs a cleanup, journal, and cycle pass every day.

It performs the following functions for every locally mounted audit directory:
- It executes audit -n to create a new daily log. This signals the audit directory to close the current audit file and open a new audit file in the current audit directory.
- It generates a weekly archive by compressing daily log files every week and stores it as audit.YYYYMMDD-YYYYMMDD.tar.z.
- It discards weekly archives that are more than a month old.
It performs an intrusion detection check every 10 minutes.
- It detects and reports every failed authorization entry in syslog files.
- By default, /etc/opt/SUNWisp/hc/hclfmd.conf is configured to send mail to root for every failed authorization attempt entered in syslog.
  
  Note -
  You may re-configure this file. By default, it is configured as follows: /var/log/badauth:/usr/bin/mailx -s "%f" root < %c where:
  - /var/log/badauth is the file where the entries are made.
  - /usr/bin/mailx -s is the command to send mail to root.
  - "%f" is the subject-line of the mail, containing the name of the file where the entries were detected, and
  - "%c" is the new content of the syslog file.