What's Not Logged
- Login's via rexec: the Solaris rexec daemon does not
log events. (I found a thrid-party daemon which does, but it does not
understand PAM --- necessary for LDAP authentication.)
What's Logged
/var/adm/:
- utmp, utmpx, wtmp and wtmpx: recent login
details --- this data is summarised moved into acct (below) on
a daily basis.
- acct and pacct:
system-accounting data, e.g., CPU usage, disk-space usage,
processes started --- mostly username-related data;
- messages receives many system messages --- some username-related
data.
- loginlog is a log of failed login attempts --- all data is
username-related.
/var/log/:
- daemon.info receives messages from telnetd and ftpd,
and other daemon info --- some username-related data.
- nqs receives messages from NQS (batch system) daemon --- apparently
does not log usernames.
- sudo receives messages from the sudo --- username-related
data.
- syslog receives many system messages --- some username-related data.
- xferlog receives messages from the FTP daemon --- all data is
username-related.
The following files are cumulative --- nothing has been deleted since
Cosmos was set up (the files are not "rotated"):
System Accounting: acct and pacct
Currently standard Solaris system accounting is running. Each month summary
statistics are tarred up and kept in /var/adm/acct_<date>.tar.
These archives contain significant username-related data. Nothing has
been deleted since November 2000.
/usr/lib/newsyslog
The following files are "rotated" by means of this script:
- xferlog
- messages
- syslog
- daemon.info
- nqs
The default configuration: files are rotated each week and those older
than 5 weeks are deleted. I have changed this: files are now kept for
13 weeks (i.e., 3 months).
About this document:
Produced from the SGML: /home/isd/public_html/_cosmeric/_logging/_reml_grp/index.reml
On: 3/9/2002 at 12:17:30
Options: reml2 -i noindex -l long -o html -p single