On Thu, Jan 16, 2003 at 11:55:46AM -0500, Louis LeBlanc wrote:

> Recently I got a message on my work machine security check output
> saying that there was a failed login attempt for my id, from an IP
> that seemed a little familiar.  The date of the attempt was January
> 14.  Well, grepping thru /var/log/auth.log, I found the message, but
> it seems it was actually last year.  The IP was familiar because it
> is one I used to have when I had AT&T Broadband as my ISP at home.
> There was a hole in the firewall at work at the time, but it shouldn't
> have been there now.  Anyway, it caused quite a bit of confusion
> before we realized that the security output was only grepping out the
> previous days entries without using the year - and why should it, they
> aren't even part of the entries.
> 
> What I need to do obviously, is get my auth.log to roll from time to
> time.  Preferably on a monthly basis.
> 
> The thing is, what, if anything, should I put in the PIDFILE and
> SIGNAL fields to ensure the daemon resumes logging to a new auth.log
> rather than continuing to log to the one that's been rolled and
> possibly compressed?
> 
> Here's what I have so far for the entry:
> 
> /var/log/auth.log            640  12    *    $M1D0 Z
> 
> I'm guessing this is a syslog logfile judging from the
> /etc/syslog.conf entry:
> 
> auth.info;authpriv.info                         /var/log/auth.log
> 
> So, should I provide the path to that pidfile?  I have other entries
> in /etc/newsyslog.conf that correspond to log entries in
> /etc/syslog.conf, but don't have any signal or pidfile info.  Is this
> ok?  It does look like the logs get rolled properly without the need
> for pidfile or signal info, but I want to be sure.

Correct: newsyslog defaults to HUP'ing syslogd if you don't give it an
explicit PID --- otherwise it couldn't recycle most of the log files
in /var/log. The default newsyslog.conf contains a line for auth.log
anyhow, without any .pid files or signal numbers:

    % grep auth.log /usr/src/etc/newsyslog.conf
    /var/log/auth.log                       600  7     100  *     Z

Note that you'll probably want the file to be mode 600 and owned by
root:wheel if it's going to receive category authpriv messages.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to