====== Syslog ======

If the server does not act as a central syslog server, suppress the logging of messages 
originating from remote servers:
  chssys -s syslogd -a "-r"

You can have more system logs than the errlog (errpt), you can activate syslog daemon. Logs files are text fomat.

Add the following lines in /etc/syslog.conf 
<cli prompt='#'>
[aix-srv@root] /root# cat /etc/syslog.conf
*.emerg /var/log/syslog/emerg.log rotate size 100k files 4 compress
*.alert /var/log/syslog/alert.log rotate size 100k files 4 compress
*.crit /var/log/syslog/crit.log rotate size 100k files 4 compress
*.err /var/log/syslog/error.log rotate size 100k files 4 compress
*.warning /var/log/syslog/warning.log rotate size 100k files 4 compress
*.notice /var/log/syslog/notice.log rotate size 100k files 4 compress
*.info /var/log/syslog/info.log rotate size 100k files 4 compress
*.debug /var/log/syslog/debug.log rotate size 100k files 4 compress
</cli>

To get only **login** informations (telnet, ssh, console...), add the following lines in /etc/ssh/sshd_config
  SyslogFacility AUTH
  LogLevel INFO
And add the following line in syslog.conf:
  auth,authpriv.debug /var/log/syslog/auth.log rotate size 500k files 4 compress

Rotate based on time (1 week):
<cli prompt='#'>
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages rotate time 1w files 5
</cli>

Create empty files for log, they won't be automatically created:
<cli prompt='#'>
[aix-srv@root] /root# mkdir -p /var/log/syslog
[aix-srv@root] /root# for file in $(cat /etc/syslog.conf | grep -v "^#" | awk '{print $2}')
do
touch $file
done
</cli>

Uncomment the entry for syslogd in /etc/rc.tcpip, or use the following command; then restart syslod:
<cli prompt='#'>
[aix-srv@root] /root# chrctcp -S -a syslogd
[aix-srv@root] /root# stopsrc -s syslogd; startsrc -s syslogd
</cli>

<cli prompt='#'>
[aix-srv@root] /root# lssrc -ls syslogd
Subsystem         Group            PID          Status
 syslogd          ras              3997822      active
Syslogd Config   aso.notice /var/log/aso/aso.log rotate size 128k time 7d
Syslogd Config   aso.info /var/log/aso/aso_process.log rotate size 1024k
Syslogd Config   aso.debug /var/log/aso/aso_debug.log rotate size 8m compress
Syslogd Config   *.emerg /var/log/syslog/emerg.log rotate size 100k files 4 compr
Syslogd Config   *.alert /var/log/syslog/alert.log rotate size 100k files 4 compr
....
[aix-srv@root] /root# logger -p daemon.err "test"
[aix-srv@root] /root# tail -5 /var/log/syslog/error.log
....
Mar  8 09:31:04 nim daemon:panic|emerg root: test

</cli>

Other parameters available: redirect debug to a syslog server, redirect emerg to the console for all logged in users, redirect err to the root console: 
<cli prompt='#'>
[aix-srv@root] /root# cat /etc/syslog.conf
*.debug   @syslogserver
*.emerg   *
*.err     root
</cli>

AIX error report test:
<cli prompt='#'>
[aix-srv@root] /root# errlogger "This is a test"
[aix-srv@root] /root# errpt
IDENTIFIER TIMESTAMP  T C RESOURCE_NAME  DESCRIPTION
AA8AB241   0308094013 T O OPERATOR       OPERATOR NOTIFICATION
</cli>

If you want to prevent other server to connect to the local syslog, use the option "-r". Only the local server can send to another server syslog information.
Change the syslog entry in /etc/rc.tcpip:
<code>
start /usr/sbin/syslogd "$src_running" "-r"
</code>

To start syslog with option -r, use the following command:
<cli prompt='#'>
[aix-srv@root] /root# startsrc -s syslogd -a "-r"
[aix-srv@root] /root# ps -ef | grep syslog
    root 6029434 3277000   0 11:26:43      -  0:00 /usr/sbin/syslogd -r
[aix-srv@root] /root# lssrc -ls syslogd
Subsystem         Group            PID          Status
 syslogd          ras              6029434      active
Syslogd Config   aso.notice /var/log/aso/aso.log rotate size 128k time 7d
Syslogd Config   aso.info /var/log/aso/aso_process.log rotate size 1024k
Syslogd Config   *.emerg /var/log/syslog/emerg.log rotate size 100k files 4 compr
Syslogd Config   *.alert /var/log/syslog/alert.log rotate size 100k files 4 compr
Syslogd Config   *.crit /var/log/syslog/crit.log rotate size 100k files 4 compres
Syslogd Config   *.err /var/log/syslog/error.log rotate size 100k files 4 compres
Syslogd Config   *.warning /var/log/syslog/warning.log rotate size 100k files 4 c
Syslogd Config   *.notice /var/log/syslog/notice.log rotate size 100k files 4 com
Syslogd Config   *.info /var/log/syslog/info.log rotate size 100k files 4 compres
Syslogd Config   *.debug /var/log/syslog/debug.log rotate size 100k files 4 compr
Syslogd Config   mail.debug /var/log/syslog/mail.log rotate size 100k files 4 com
Syslogd Config   auth.info /var/log/syslog/ssh.log rotate size 300k files 4 compr
</cli>

==== Redirect errorlog in syslog ====


Create an ODM entry to run the "logger" command whenever an error is logged.
<cli prompt='#'>
[aix-srv@root] /root# vi /tmp/syslog.add
errnotify:
  en_name="syslog1"
  en_persistenceflg = 1
  en_method = "logger -p err Msg from Error Log: $(errpt -a -l $1 | grep -v 'ERROR_ID TIMESTAMP')"
</cli>

Add the entry to ODM
<cli prompt='#'>
[aix-srv@root] /root# odmadd /tmp/syslog.add
</cli>

Add a syslog entry to forward “err” priority messages to syslog 
<cli prompt='#'>
[aix-srv@root] /root# vi /etc/syslog.conf
*.err @syslogserver
</cli>

Refresh the syslog demon to pick up the new entry
<cli prompt='#'>
[aix-srv@root] /root# refresh -s syslogd
</cli>

For reducing length of line in the syslog output use instead 
  en_method = "logger -p err AIXErrptLog: $(errpt -a -l $1 | grep -v '\\--------')"
  
===== Syslog-ng =====
  
<cli prompt='#'>
# cat /etc/syslog-ng/syslog-ng.conf
</cli>
<code>
@version:3.2
@include "scl.conf"
# sample configuration file for syslog-ng on AIX
# users should customize to fit their needs
#

# log syslog-ng's own messages to /var/log/syslog-ng.log

source s_oracle_apexd {
        file ("/oracle/diag/rdbms/apexd/apexd/trace/alert_apexd.log");
        file ("/oradata/apexd/log/adump/syslog_sys_audit.txt");
};

source s_oracle_rmancat {
        file ("/oracle/diag/rdbms/rmancat/rmancat/trace/alert_rmancat.log");
};

source s_root_audit {
        file ("/audit/stream.out");
};

source s_oracle_msg {
        file ("/var/log/messages");
        file ("/var/log/syslog/warning.log");
        file ("/var/log/syslog/ftp_logging.log");
        file ("/var/log/syslog/auth.log");
};

source s_oracle_sys {
    unix-dgram("/dev/log");
    internal();
};

#       tcp ("10.10.10.10" port(514));
destination d_oracle_apexd {
        udp ("10.10.10.10" port(514) template("<$PRI> $DATE $HOST apexd $MSG\n"));
};

destination d_oracle_rmancat {
        udp ("10.10.10.10" port(514) template("<$PRI> $DATE $HOST rmancat $MSG\n"));
};

destination d_root_audit {
        udp("10.10.10.10" port(514));
};

source s_internal {
        internal();
};

destination d_syslognglog {
        file("/var/log/syslog-ng.log" owner("root") group("adm") perm(0640));
};

log {
        source(s_internal);
        destination(d_syslognglog);
};

# log everything to /var/log/messages

source s_local {
        unix-dgram("/dev/log");
};

destination d_messages {
        file("/var/log/messages" owner("root") group("adm") perm(0640));
};

log {
        source(s_local);
        destination(d_messages);
};

destination d_oracle_sys { udp("172.21.160.239" port(514)); };

# Remote logging
#
#source s_remote {
#       tcp(ip(0.0.0.0) port(514));
#       udp(ip(0.0.0.0) port(514));
#};
#
#destination d_separatedbyhosts {
#       file("/var/log/syslog-ng/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes));
#};
#
#log {
#       source(s_remote);
#       destination(d_separatedbyhosts);
#};

#
# Local filters examples
#

#filter f_secure { facility(authpriv); };
#filter f_mail { facility(mail); };
#filter f_cron { facility(cron); };
#filter f_emerg { level(emerg); };
#filter f_spooler { level(crit..emerg) and facility(uucp, news); };
#filter f_local7 { facility(local7); };

filter f_messages { level(warning..emerg); };
filter f_auth       { facility(auth,authpriv); };
filter f_emergency  { level(emerg); };
filter f_kernel     { facility(kern); };

#
# Local destination examples
#

#destination d_secure { file("/var/log/secure"); };
#destination d_maillog { file("/var/log/maillog"); };
#destination d_cron { file("/var/log/cron"); };
#destination d_console { usertty("root"); };
#destination d_spooler { file("/var/log/spooler"); };
#destination d_bootlog { file("/var/log/boot.log"); };

#
# Local log examples - order DOES matter !
#
#log { source(s_local); filter(f_emerg); destination(d_console); };
#log { source(s_local); filter(f_secure); destination(d_secure); flags(final); };
#log { source(s_local); filter(f_maillog); destination(d_maillog); flags(final); };
#log { source(s_local); filter(f_cron); destination(d_cron); flags(final); };
#log { source(s_local); filter(f_spooler); destination(d_spooler); };
#log { source(s_local); filter(f_local7); destination(d_bootlog); };
#log { source(s_local); filter(f_messages); destination(d_messages); };


log { source(s_oracle_apexd); destination(d_oracle_apexd); };
log { source(s_oracle_rmancat); destination(d_oracle_rmancat); };

log { source(s_oracle_sys); filter(f_kernel); destination(d_oracle_sys); };
log { source(s_oracle_sys); filter(f_auth); destination(d_oracle_sys); };
log { source(s_oracle_sys); filter(f_emergency); destination(d_oracle_sys); };
log { source(s_oracle_sys); filter(f_messages); destination(d_oracle_sys); };

log {
        source (s_oracle_msg);
        destination (d_oracle_sys);
};

log {
        source (s_root_audit);
        destination (d_root_audit);
};
</code>