Problem with logrotation

anaigini45 · February 14, 2019, 10:20pm

Hi,

I have been trying to configure log rotation for the OS version Solaris 10, however it is not working.
In Linux, these would be the parameters :

rotate 4
missingok
notifempty
compress
size 15M
create 0644 root root

To do the same in Solaris, I am not sure of the exact parameters to use to match the ones above, but the basic configuration I did was :

# vi /etc/logadm.conf 

#### SIEM logs #####
/var/log/dbaudit.log -C 4 -s 15m

However, after I restart syslog :

# svcadm restart system/system-log

I still do not see dbaudit.log generated in /var/log. All the logging goes to audit.log. How do I prevent this, and instead make the logs generate in dbaudit.log?
I want to force logrotation to see if it works :

# logadm -p now /var/log/dbaudit.log

But if the log is not even there, how do I logrotate?

This is the syslog.conf file :

root@edms # less /etc/syslog.conf
#ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   /* SunOS 5.0 */
#
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.
# All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;auth.info;kern.debug;daemon.notice;mail.crit      /var/adm/messages

*.alert;kern.err;daemon.err                     operator
*.alert                                         root
local1.warn                                     /var/log/audit.log
local1.warning                                  /var/log/dbaudit.log
*.info;auth.info                                @loghost
*.emerg                                         *

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice                    ifdef(`LOGHOST', /var/log/authlog, @loghost)

mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/sysmsg
user.err                                        /var/adm/messages
user.alert                                      `root, operator'
user.emerg                                      *
)

############# SIEM testing purpose ###################
.       @10.89.4.233
######################################################
(END)

MadeInGermany · February 15, 2019, 5:04am

First of all, the /etc/syslog.conf file needs TABs to separate columns, not space characters.
Test with

grep '^[^#].*  ' /etc/syslog.conf

Must be empty. Otherwise correct with a text editor
(vi has the useful commands :set list and :set nolist )

Maybe syslogd does not create its log files. Manually create it with

touch /var/log/dbaudit.log

Restart syslogd
Look who has opened the file with

fuser /var/log/dbaudit.log

Must be the syslogd.

The logadm is optional.
I think it only rotates if the target file is present.

anaigini45 · February 17, 2019, 9:18pm

Ok, the logs are generated after I touch dbaudit.log.
And the output of

grep '^[^#].*  ' /etc/syslog.conf

is empty.

However, now how do I make logrotation work?

I tried running the command

logadm -p now /var/log/dbaudit.log

however logs not rotated :

-rw-r--r--   1 root     root     41236362 Feb 18 09:48 audit.log
-rw-r--r--   1 root     root       10507 Feb 18 09:48 dbaudit.log
root@edms # pwd
/var/log
root@edms #

MadeInGermany · February 20, 2019, 9:18am

The -p now overrides a -p in /etc/logadm.conf or the default -p 1w ,
but you also need -s 0b to override a -s in /etc/logadm.conf or the default -s 1b .