From owner-freebsd-questions Thu Jan 16 10:19:56 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF11E37B401 for ; Thu, 16 Jan 2003 10:19:54 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D0F943F6B for ; Thu, 16 Jan 2003 10:19:53 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.6/8.12.6) with ESMTP id h0GIJj84024389 for ; Thu, 16 Jan 2003 18:19:45 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.6/8.12.6/Submit) id h0GIJebn024384 for freebsd-questions@FreeBSD.ORG; Thu, 16 Jan 2003 18:19:40 GMT Date: Thu, 16 Jan 2003 18:19:40 +0000 From: Matthew Seaman To: FreeBSD Questions Subject: Re: syslog.conf and newsyslog.conf questions Message-ID: <20030116181940.GC23690@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , FreeBSD Questions References: <20030116165546.GB6646@keyslapper.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030116165546.GB6646@keyslapper.org> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-3.3 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02, USER_AGENT,USER_AGENT_MUTT version=2.43 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Jan 16, 2003 at 11:55:46AM -0500, Louis LeBlanc wrote: > Recently I got a message on my work machine security check output > saying that there was a failed login attempt for my id, from an IP > that seemed a little familiar. The date of the attempt was January > 14. Well, grepping thru /var/log/auth.log, I found the message, but > it seems it was actually last year. The IP was familiar because it > is one I used to have when I had AT&T Broadband as my ISP at home. > There was a hole in the firewall at work at the time, but it shouldn't > have been there now. Anyway, it caused quite a bit of confusion > before we realized that the security output was only grepping out the > previous days entries without using the year - and why should it, they > aren't even part of the entries. > > What I need to do obviously, is get my auth.log to roll from time to > time. Preferably on a monthly basis. > > The thing is, what, if anything, should I put in the PIDFILE and > SIGNAL fields to ensure the daemon resumes logging to a new auth.log > rather than continuing to log to the one that's been rolled and > possibly compressed? > > Here's what I have so far for the entry: > > /var/log/auth.log 640 12 * $M1D0 Z > > I'm guessing this is a syslog logfile judging from the > /etc/syslog.conf entry: > > auth.info;authpriv.info /var/log/auth.log > > So, should I provide the path to that pidfile? I have other entries > in /etc/newsyslog.conf that correspond to log entries in > /etc/syslog.conf, but don't have any signal or pidfile info. Is this > ok? It does look like the logs get rolled properly without the need > for pidfile or signal info, but I want to be sure. Correct: newsyslog defaults to HUP'ing syslogd if you don't give it an explicit PID --- otherwise it couldn't recycle most of the log files in /var/log. The default newsyslog.conf contains a line for auth.log anyhow, without any .pid files or signal numbers: % grep auth.log /usr/src/etc/newsyslog.conf /var/log/auth.log 600 7 100 * Z Note that you'll probably want the file to be mode 600 and owned by root:wheel if it's going to receive category authpriv messages. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message