syslog rule group is running on AIX but not seeing any failed login, failed su or other alerts for t (NETIQKB49140)

Once it has been verified that the syslog group is running on the system look at the rule Group:syslog

entries in the Unix Manager console. If the rules are not enabled, do so then sent the rule set to the

host. If they are enabled then check to see if syslog is configured on the AIX system.

1) Login as root

2) View /etc/syslog.conf to see if system logging is enabled. Usually this will be at the bottom of the

    file below all the # lines which are comments. The entry(s) will look something like:

          *.debug /usr/adm/messages

    By default AIX doesn't have system logging turned on at all so even if the rules are enabled alerts

    will not get generated. There are many, many ways to configure system logging so please refer to

    the OS system administrator for detailed instructions if needed.

3) If there are entries for logging to a file then check to see if syslogd is running, is there free space

    in the syslog and VSAU file systems.

4) If logging needs to be turned in the OS:

a) edit syslog.conf and put an entry similar to: *.info /usr/adm/messages

    > use the one or more tab characters after *.info and not spaces

    > specify /usr/adm/messages as the log file. The default Group:syslog is setup to look there.

        If needed the location where the rule group looks for syslog messages can be changed by

        editing the rule groups Event Source.

b) key: touch /usr/adm/messages

> the file must be created before syslogd will write to it

c) key: kill -HUP {syslogd_pid}

> From this point if there is space in the file system and syslogd has been restarted (-HUP)

alerts should start being generated.