topic Re: Event logging in Operating System - HP-UX

Event logging

T Raeuchle — Mon, 08 Aug 2005 10:09:18 GMT

Is there a logging mechanism that I can turn on that records events such as user login/logout, failed logins, file access, etc.

Thanks

TR

Re: Event logging

Pete Randall — Mon, 08 Aug 2005 10:15:04 GMT

Check out the last and lastb commands.

Pete

Re: Event logging

Rick Garland — Mon, 08 Aug 2005 10:19:22 GMT

This is enabled by default - check out the last, lastb commands.

Will tell you who logged in when and you failed to login and when.

For su access, look at the /var/adm/sulog

Re: Event logging

Florian Heigl (new acc) — Mon, 08 Aug 2005 10:22:54 GMT

Look for the manuals on the HP-UX trusted system operating mode, this is the way to gather all the data You listed.

Re: Event logging

generic_1 — Mon, 08 Aug 2005 10:41:59 GMT

If you need more details you can turn on auditing, make sure you turn on just what you need and you have sufficient space for the logs. I would suggest a sepparate mount point for the logs.

Re: Event logging

Mel Burslan — Mon, 08 Aug 2005 12:14:18 GMT

In addition to all of the above, if you want to log the IP addresses of people who connected to this machine over the network, you can turn on inetd logging by :

/usr/sbin/inetd -k
/usr/sbin/inetd -l

and see the inetd connection IP addresses in your syslog.log

Re: Event logging

Michael Selvesteen_2 — Tue, 09 Aug 2005 01:17:30 GMT

Auditing is the better solution for your problem. Use SAM to configure auditing in your machine. Select carefully the events which you need to monitor. Note currently SSH login/logout are not monitored by Auditing.

some important commands releated to auditing

1. audisp -e filename
2. audsys
3. audevent
4. audusr

Hope this helps.

Re: Event logging

Muthukumar_5 — Tue, 09 Aug 2005 03:31:33 GMT

For auditing,

login/logout - last command (wtmp file tracking)
bad login - lastb command (btmp file tracking)
file access - You have to turn your system into trusted.

Go to sam -> auditing & security -> audited events, it will ask to ask to turn system trusted mode.

You can use .sh_history file to track which commands are executed with which file. You have to enable in /etc/profile for history logging as,

set -o $EDITOR
export $HISTFILE=$HOME/.sh_history
export $HISTSIZE=1000

hth.

Re: Event logging

Mahesh Kumar Malik — Tue, 09 Aug 2005 06:28:36 GMT

Hi TR

Logging fetures are available when you have Trusted System Environment. Once you have Trusted System, enable Auditing and ites options to enable logging of login/logout, failed logins, file access, etc

Regards
Mahesh