Date: Thu, 16 Jan 2003 18:19:40 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: syslog.conf and newsyslog.conf questions Message-ID: <20030116181940.GC23690@happy-idiot-talk.infracaninophi> In-Reply-To: <20030116165546.GB6646@keyslapper.org> References: <20030116165546.GB6646@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 16, 2003 at 11:55:46AM -0500, Louis LeBlanc wrote:
> Recently I got a message on my work machine security check output
> saying that there was a failed login attempt for my id, from an IP
> that seemed a little familiar. The date of the attempt was January
> 14. Well, grepping thru /var/log/auth.log, I found the message, but
> it seems it was actually last year. The IP was familiar because it
> is one I used to have when I had AT&T Broadband as my ISP at home.
> There was a hole in the firewall at work at the time, but it shouldn't
> have been there now. Anyway, it caused quite a bit of confusion
> before we realized that the security output was only grepping out the
> previous days entries without using the year - and why should it, they
> aren't even part of the entries.
>
> What I need to do obviously, is get my auth.log to roll from time to
> time. Preferably on a monthly basis.
>
> The thing is, what, if anything, should I put in the PIDFILE and
> SIGNAL fields to ensure the daemon resumes logging to a new auth.log
> rather than continuing to log to the one that's been rolled and
> possibly compressed?
>
> Here's what I have so far for the entry:
>
> /var/log/auth.log 640 12 * $M1D0 Z
>
> I'm guessing this is a syslog logfile judging from the
> /etc/syslog.conf entry:
>
> auth.info;authpriv.info /var/log/auth.log
>
> So, should I provide the path to that pidfile? I have other entries
> in /etc/newsyslog.conf that correspond to log entries in
> /etc/syslog.conf, but don't have any signal or pidfile info. Is this
> ok? It does look like the logs get rolled properly without the need
> for pidfile or signal info, but I want to be sure.
Correct: newsyslog defaults to HUP'ing syslogd if you don't give it an
explicit PID --- otherwise it couldn't recycle most of the log files
in /var/log. The default newsyslog.conf contains a line for auth.log
anyhow, without any .pid files or signal numbers:
% grep auth.log /usr/src/etc/newsyslog.conf
/var/log/auth.log 600 7 100 * Z
Note that you'll probably want the file to be mode 600 and owned by
root:wheel if it's going to receive category authpriv messages.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030116181940.GC23690>