Log management functions are built upon the Sysctl facility, which uses the SP security services. Configuring Log Management and how users obtain authorization is different when using DCE and when using Kerberos V4.
When using DCE authentication, a user of log management can obtain authorization by using the dce_login command with a DCE principal that is a member of the sysctl-logmgt group. The user can also be authorized by some other entry added to the DCE ACL for the /etc/logmgt.acl file by an SP security administrator who is a member of the spsec-admin group. For related information see Managing access by group membership, Managing access using ACL files, and Sysctl files.
When using Kerberos V4 authentication, the user needs to issue the k4init command to be identified to the SP authentication services in order to generate parallel AIX Error Log and BSD syslog reports and view any logs. All other log management commands additionally require that the user be defined as a principal in the /etc/logmgt.acl file. All users defined in the file /etc/logmgt.acl must also be placed in the authentication (PSSP Kerberos V4 or AFS) database as a principal. (Refer to Adding principals and assigning initial passwords for more information.) Note that the majority of log management represents administrative tasks normally requiring root authority and that a user defined in the logmgt.acl file will execute commands as the root user.
The following is an example of an /etc/logmgt.acl file:
#acl# # This sample acl file for log management commands contains # a commented line for a principal #_PRINCIPAL root.admin@HPSSL.KGN.IBM.COM # for trimming SPdaemon.log by cleanup.logs.ws _PRINCIPAL rcmd.k7s
For related information see Managing access by group membership, Managing access using ACL files, and Sysctl files.
The log management server functions executed by Sysctl are located in /usr/lpp/ssp/sysctl/bin/logmgt.cmds. During system installation, an include statement for this file is added to the default Sysctl configuration file /etc/sysctl.conf. If you use an alternate Sysctl configuration file, you must update the file with a statement to include the logmgt.cmds file. In addition, you must restart the sysctld daemon to pick up this change. See Chapter 6, Controlling remote execution by using Sysctl for a description of the Sysctl function, ACL and AUTH callback authorizations, using an alternate Sysctl configuration file, and other Sysctl configuration information.