AIX system logs files

Bolou · February 18, 2016, 5:18am

hello,

i just want to know logs files for these actions listed below :

User Account Creation
User Account Deletion
Failed and or Successful User Password Changes
Failed Login Activities for all User Users
System Reboot or and shutdown

help appreciated...

bakunin · February 18, 2016, 3:05pm

There are no logs as these are single commands which have a return code (and some diagnostic messages in case something goes wrong). You might want to write some script wrapper for them and write a log file yourself.

This is not clear enough. The fact that a password is changed is noted in /etc/security/passwd , a file in stanza format, with a lastupdate= entry. Note that this only pertains to locally authenticated users. LDAP-, Kerberos-, ... -users where the AIX system relies on some external system for the authentication do not have password-information on the system and therefore no pasword-update-information.

You might want to read up about "LAM" ("loadable authentication modules") for details.

That depends on what you want to know. The lsuser command provides information about the attributes "unsuccessful_login_count". "host_last_unsuccessful_login" and some others (issue lsuser root as root for a complete list of user attributes). You can also configure some authentication mechanisms to use the syslog facilities to write logs. There is nothing out of the box, though, because "authentication" is a loadable, configurable and quasi-external service for AIX.

Is logged in the error log. As a root user enter errpt for an overview and errpt -a for a detailed description of every entry (including shutdown/boot events).

I hope this helps.

bakunin

SkySmart · February 18, 2016, 3:32pm

errpt is a good command to use.

also, for the location of the log file where you can find records of the items listed, look in /var/adm/. in this directory, you'll find most files you need to look into.

Bolou · February 19, 2016, 3:45am

thks you very much, i'll see in this directory and i'll come back to you if i have to know others thing...

---------- Post updated at 03:45 AM ---------- Previous update was at 03:35 AM ----------

bakunin:

There are no logs as these are single commands which have a return code (and some diagnostic messages in case something goes wrong). You might want to write some script wrapper for them and write a log file yourself.

ok, but are not there a default log file locally for this ? am i neccesary obliged to make a script before ?

This is not clear enough. The fact that a password is changed is noted in /etc/security/passwd , a file in stanza format, with a lastupdate= entry. Note that this only pertains to locally authenticated users. LDAP-, Kerberos-, ... -users where the AIX system relies on some external system for the authentication do not have password-information on the system and therefore no pasword-update-information.

You might want to read up about "LAM" ("loadable authentication modules") for details.

That depends on what you want to know. The lsuser command provides information about the attributes "unsuccessful_login_count". "host_last_unsuccessful_login" and some others (issue lsuser root as root for a complete list of user attributes). You can also configure some authentication mechanisms to use the syslog facilities to write logs. There is nothing out of the box, though, because "authentication" is a loadable, configurable and quasi-external service for AIX.

Is logged in the error log. As a root user enter errpt for an overview and errpt -a for a detailed description of every entry (including shutdown/boot events).

ok, thks
I hope this helps.

bakunin

thks you for all your replies, i understand aix system logs file more and more.....

_XrAy · February 19, 2016, 4:59am

Hi,

some of these information can also be found under /var/adm .
But it depend on your system configuration.

User login, logout, failed login, etc:
/var/adm/authlog or who /etc/security/failedlogin

Boot, shutdown, reboot:
Binary file /var/adm/wtmp which can be read by the command last , e.g.: last boot , last reboot , last shutdown

Regards

MichaelFelt · March 5, 2016, 5:38am

In my quick scan I missed any mention of syslog.

A lot of user related activated in kept in the 'auth' log, and much of that also appears in the 'mail' log.

Where that goes, if at all, depends on /etc/syslog.conf

aaronemre · March 29, 2016, 4:56am

Thank you.