Table of Contents
<logdir> is /etc/log for nodes and /logs for NetCache appliances.
Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:OUT:date: Wed Feb 9 17:34:09 GMT 2000
This indicates that there was an rsh session around Wed Feb 9 17:34:09 GMT which caused the date command to be executed. The user performing the command was root. The type of log is data output by the system as indicated by the OUT keyword.
Commands typed at the node's console or executed by rsh are designated by the IN keyword as in:
Wed Feb 9 17:34:03 GMT [rshd_0:auditlog]: :IN:rsh shell: RSH INPUT COMMAND is date
The start and end of an rsh session are specially demarcated as in
Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:START:rsh shell:orbit.eng.mycompany.com
Wed Feb 9 17:34:09 GMT [rshd_0:auditlog]: root:END:rsh shell:
The maximum size of the auditlog file is controlled by the auditlog.max_file_size option. If the file gets to this size, it is rotated (see below).
Every Saturday at 24:00, <logdir>/auditlog is moved to <logdir>/auditlog.0, <logdir>/auditlog.0 is moved to <logdir>/auditlog.1, and so on. This process is called rotation. Auditlog files are saved for a total of six weeks, if they do not overflow.
If you want to forward audit log messages to a remote syslog log host (one that accepts syslog messages via the BSD Syslog protocol specified in RFC 3164), modify the node's /etc/syslog.conf file to forward messages from the node's "local7" facility to the remote host. Do this by adding a line like:
On the log host, you'll need to modify the syslog daemon's configuration file to redirect syslog message traffic from the "local7" facility to the appropriate configuration file. That is typically done by adding a line similar to the one shown above for the node:
Table of Contents