System Logging across different UNIX systems

This post provides brief differences in the log file locations used for System Logging of the most common versions of UNIX (Solaris, AIX, Red Hat Linux and HP-UX).

Default syslog output /var/adm/messages /var/log/syslog /tmp or none /var/log/messages /var/log/secure /var/log/boot.log /var/adm/syslog/mail.log /var/adm/syslog/syslog.log
System accounting (login and process) /var/adm/utmpx /var/adm/wtmpx /var/adm/pacct /etc/utmp /var/adm/wtmp /var/adm/pacct /var/run/utmp /var/log/wtmp /var/account/pacct /var/adm/utmp /var/adm/wtmp /var/adm/pacct
Login Errors /var/adm/loginlog /var/log/sulog /etc/security/failedlogin /var/adm/sulog /var/log/btmp /var/log/messages /var/adm/lastb /var/adm/sulog

Additional Inforamtion

All systems can log the same type of information, although sometimes the filenames and directory locations differ. There are several facilities that could generate messages of eight levels from debug to emerg (man syslogd for more information on the facilities and levels). The information collected by syslog is a valuable resource in determining the health of the system, and when reviewed regularly can provide an advance warning for some types of attacks.

AIX is the only system that does not log any syslog information by default, so the configuration file (/etc/syslog.conf) should be modified to start logging interesting events immediately after system installation. It should be noted that syslogd will not write to a file that does not exist, so the log files should be touch'ed to start logging after any syslog.conf configuration changes. The minimum syslog.conf changes to log debug mail messages to mail_log, error messages (and higher) to errorlog, informational messages (and higher) to syslog and broadcasting critical messages to all logged in users, would consist of something like this:

mail.debug /var/log/mail_log
*.crit *
*.err /var/log/errorlog
*.info /var/log/syslog

Additional syslog.conf configuration suggestions for AIX are made in the IBM online tutorial Securing AIX Network Services

To improve security on all of the discussed systems, the syslog UDP port (514) should be blocked at the firewall in order to reduce the likelihood of a buffer overflow attack or other vulnerability, and remote logging should be disabled unless the host acts as a central log server.