Saturday, December 14, 2013

Where the logs stored ?

www.unixbabuforum.inWhenever I create a solaris zone or reboot a zone where the logs stored ? /var/adm/messages ?


www.unixbabuforum.in--> Solaris systems use the /var directory to store logs and other 
local files so that the operating system can support other directories being 
mounted as read only, sometimes from file servers elsewhere on the network. 
The /var directory is thus often on a partition that is local to the 
system... 

--->Because log files often provide the only indication of an 
intrusion, intruders often attempt to erase any evidence of their activities 
by removing or modifying the log files. For this reason, it is very 
important that your log files be adequately protected to make it as 
difficult as possible for intruders to change or remove them. 

*1./var/adm/mesages:* 

This file is a catch-all log file for a number of messages from the UNIX 
kernel as well as for other logging applications such as syslogd. The file 
is formatted as an ASCII text file and entries are usually one record per 
line with new entries appended to the end of the file. 

*Note:* that the messages file can get very large quickly and should be 
rotated regularly to ensure that it does not consume too much local disk 
space 

The following is a sample excerpt from a messages file. Each pair of 
lines shown below appears as one line in the file: 

Oct 31 04:05:01 unix.fghij.net syslogd:restart 

Oct 31 04:05:02 unix.fghij.net named[112]: unapproved query 

from [10.10.0.1].32768 for "loghost.local.net

*2./var/log/sulog:* 

The sulog file, /var/adm/sulog, is a log containing all attempts 
(whether successful or not) of the su command. An entry is added to 
the sulog file every time the su command is executed. The fields in 
sulog are: date, time, successful (+) or unsuccessful (-), port, user 
executing the su command, and user being switched to. 

SU 11/17 16:26 + pts/3 hilgarj-root 
SU 11/17 22:22 + pts/3 hilgarj-root 
SU 11/18 09:13 - pts/2 mcevoyg-root 
SU 11/18 09:14 - pts/2 mcevoyg-root 

*3./var/adm/loginlog:* 

Unsuccessful login attempts after five consecutive failures are logged 
in the file /var/adm/loginlog, only if the file 
/var/adm/loginlogexists and is owned by root, group sys, and has read 
and write permissions only for root. Follow this procedure to create 
and configure the file /var/adm/loginlog for unsuccessful login 
attempt logging: 

1. 

Log in (or su) as root. 
2. 

Enter the command touch /var/adm/loginlog. 
3. 

Enter the command chown root /var/adm/loginlog. 
4. 

Enter the command chgrp sys /var/adm/loginlog. 
5. 

Enter the command chmod 600 /var/adm/loginlog. 

The following is an example entry written into /var/adm/loginlog 

*4./var/adm/wtmpx:(Lastlog)* 

The last command displays login/logout and system boot information in 
time sequence order. last reads the binary file/var/adm/wtmpx, which 
is written to every time a user logs in or out and when the system is 
rebooted. An example last command output is 

pete console :0 Wed Apr 1 20:52 still logged in 
pete console :0 Wed Apr 1 20:40 - 20:51 (00:10) 
pete console :0 Mon Feb 23 21:31 - 20:39 (36+23:08) 
reboot system boot Mon Feb 23 21:13 



| Like wise 

Install Log 

The system install log, found in /var/sadm/system/logs/install_log, is 
generated when Solaris is installed on the system. The install log 
contains all of the character output generated throughout Solaris 
installation. The log contains information such as disk partitioning 
and formatting, software module installation status, and mount points. 
Volume Manager Log 

The volume manager log, /var/adm/vold.log, is used by the Solaris 
Volume Manager (the software that manages the CD-ROM and diskette 
drives and automates the user-system interaction when using those 
drives). 
sysidtool Log 

The sysidtool log, found in /var/sadm/system/logs/sysidtool.log, is 
generated by the sysidtool tool suite, itself run automatically at 
system installation time or when the system is unconfigured with 
sys-unconfig. This log can be useful for double-checking the 
configuration of a newly installed or reinstalled system to see what, 
if any, changes have occurred. 

Solaris systems use the /var directory to store logs and other local 
files so that the operating system can support other directories being 
mounted as read only, sometimes from file servers elsewhere on the 
network. The /var directory is thus often on a partition that is local 
to the system. 

The generic Solaris installation includes a syslog file that sends 
most logging information to the /var/adm/messages file; only 
mail.debug information is sent to the /var/adm/syslog file. One 
particular shortcoming of the Solaris default installation is that 
auth.notice messages aren't logged anywhere. 

All of the log files described below can be found in subdirectories 
under /var. There may be other application-specific log files that you 
will also need to inspect. However, it is beyond the scope of this 
implementation to describe all of the log files that you might want to 
inspect for your specific Solaris installation. 

Because log files often provide the only indication of an intrusion, 
intruders often attempt to erase any evidence of their activities by 
removing or modifying the log files. For this reason, it is very 
important that your log files be adequately protected to make it as 
difficult as possible for intruders to change or remove then. See the 
practice "Managing logging and other data collection mechanisms" 
<http://www.cert.org/security-improvement/practices/p092.html> for 
more information on this topic. 

*adm/utmp, adm/utmpx, /adm/wtmp, and adm/wtmpx* 

These files contain user and accounting information that is recorded 
when a user logs in, logs out, or starts a new shell process with an 
application such as xterm or screen.Records written to these log files 
by the managing application contain account activity for the system. 

The data in these files are written as binary data so they must be 
read by a tool specifically designed to do so, such aslast(1) and 
who(1). See the system man pages for last(1) and who(1) for additional 
information on the data and display formats available with these 
tools. 

*adm/lastlog* 

This binary log file stores information about a user who has logged 
into the system. It is kept up to date by utilities such aslogin(1) 
and in.uucpd(1M). The data are viewable with tools such as last(1), 
who(1), and finger(1). Refer to the system man pages for more 
information. 

*adm/sulog* 

The sulog file is a record of all attempts by users on the system to 
execute the su(1M) command. Each time su(1M) is executed, an entry is 
added to the sulog file. 

The format of this human-readable text file includes date, time, 
success/failure (+/-), and both the current and requested account. The 
following is a sample excerpt from a sulog file: 


SU 08/28 11:41 - pts/1 jxk-root 
SU 08/28 11:41 + pts/1 jxk-root 
SU 09/14 13:05 + pts/0 thimbl-root 
SU 09/14 14:58 + pts/0 thimbl-root 
SU 09/16 13:52 + pts/0 thimbl-root 
SU 09/16 15:16 + pts/2 thimbl-guest 
SU 10/19 14:17 - pts/2 marchok-root 
SU 10/19 14:17 + pts/2 marchok-root 

--- 

*/var/log* 
This log directory is sometimes used to store miscellaneous log files, 
including log files ceated by syslog for messages that are not written to 
/usr/adm/messages or to the system console. 

*Syslog files* 

Often a number of miscellaneous syslog files are written to /var/log for 
logging events that are not logged elsewhere such as main, news, and user 
events. You can view which of these events are written to this directory (or 
any other log files) by reviewing the syslog config file /etc/syslog.conf. 
For example, the following syslog.conf file writes several specific log 
files to the /var/log directory: 


syslog configuration file (loghost) 

#output to console 
*.err;mail,kern.notice;daemon,auth.debug;%%LIN K%% /dev/console 
#output to local file "messages" for automatic log file analysis 
*.err;auth,daemon,mark,kern.debug;mail,user.no tice var/adm/messages 
#output to local files for archiving messages of potential interest 
auth.debug /var/log/auth.log 
daemon.debug /var/log/daemon.log 
lpr.debug /var/log/lpr.log 
mail.debug /var/log/mail.log 
news.debug /var/log/news.log 
uucp.debug /var/log/uucp.log 
user.debug /var/log/user.log 

#end of /etc/syslog.conf 


*log/sysidconfig.log* 

This log file is created by the sysidconfig(1M) command, which executes 
system configuration applications or defines a set of system configuration 
applications. Specific information about this and other related system 
configuration tools can be found in the system man pages for sysidconfig. 

--- 

*/var/cron* 
This directory contains the files that you would find associated with the 
system's cron(1M) and at(1) functions. 

*cron/log* 

This file contain log entries for cron(1M) and at(1) jobs that have been run 
on the local machine. This file is a text file that lists the command that 
was run, at what time, and as what user. The following example log file 
contains both a cron and at job entry: 

> CMD: /usr/lib/uucp/uudemon.hour 
> uucp 14572 c Mon Nov 9 19:11:00 1998 
< uucp 14572 c Mon Nov 9 19:11:00 1998 
> CMD: 910656780.a 
> root 14592 a Mon Nov 9 19:13:00 1998 
< root 14592 a Mon Nov 9 19:13:01 1998 

Etc/var/log/utmp; /var/log/utmpx 

These logs keep track of users currently logged into the system. Using the 
who command, check the users logged in at the current time: 

<userid> pts/1 Mar 31 08:40 (origination hostname) 

Look for user logins that are unexpected (e.g., for staff on vacation), 
occur at unusual times during the day, or originate from unusual locations. 

/var/log/wtmp; /var/log/wtmpx 

These logs keep track of logins and logouts. Using the last command, do the 
following: 

Look for user logins occurring at unusual times. 

<userid> pts/4 <hostname> Sat Mar 22 03:14 - 06:02 (02:47) 

Look for user logins originating from unusual places (locations, addresses, 
and devices). 

<userid> pts/12 <strange hostname> Fri Mar 21 08:59 - 13:30 (04:31) 

Look for unusual reboots of the system. 

reboot system boot Sun Mar 23 05:36 

/var/log/syslog 

By default, the syslog file will contain only messages from mail (as defined 
in the /etc/syslog.conf file). Look for anything that looks unusual. 
/var/adm/messages 

This log records system console output and syslog messages. Look for 
unexpected system halts. 

Look for unexpected system reboots. 

Mar 31 12:48:41 user.info unix: rebooting... 

Look for failed su and login commands. 

Mar 30 09:14:00 <hostname> login: 4 LOGIN FAILURES ON 0, <userid> 

Mar 31 12:37:43 <hostname> su: 'su root' failed for <userid> on /dev/pts/?? 

Look for unexpected successful su commands. 

Mar 28 14:31:11 <hostname> su: 'su root' succeeded for <userid> on 
/dev/console 
*/var/adm/pacct* 

This log records the commands run by all users. Process accounting must be 
turned on before this file is generated. You may want to use the 
lastcomm command 
to audit commands run by a specific user during a specified time period. 

compile <userid> ttyp1 0.35 secs Mon Mar 31 12:59 
*/var/adm/aculog* 

This log keeps track of dial-out modems. Look for records of dialing out 
that conflict with your policy for use of dial-out modems. Also look for 
unauthorized use of the dial-out modems. 


www.unixbabuforum.inThe log files are stored in the /var directory, in which file it will exactly 
store in the /var directory means it depends upon the activity you did with 
zones... 

For example: 
You created a zone and when you want to login in, suppose when you are logging 
in you type a WRONG password for 5 times then it will store in 
/var/adm/loginlog, only if the file /var/adm/loginlog exists ..

www.unixbabuforum.inIf you want to direct the errors and warning messages of only Solaris zones 
then you make a file and then goto /etc/syslog.conf and follow the procedure 
how to configure a log ...and redirect the output to that file 

0 comments:

Post a Comment

 
Design by BABU | Dedicated to grandfather | welcome to BABU-UNIX-FORUM