Operating System - HP-UX
1748163 Members
3641 Online
108758 Solutions
New Discussion юеВ

Delivery HP-UX Audits to another system

 
Jason S Nadeau
New Member

Delivery HP-UX Audits to another system

I am trying to combine all the HP-UX audit logs from all my HP-UX servers onto a linux based syslog server. I am running a mix of HP-UX 11.23 and 11.31. I currently have a custom cron script that rolls audit to a new file. Then take the old audit data and run the audisp tool to get ASCII text. The ASCII test is then sent to a named pipe watched by syslog-ng. This process is cumbersome but we would like to avoid FTP, and the hassles of secure copy with pub/pri keys. Any suggestions to improve the above solution using syslog-ng?
3 REPLIES 3
Olivier Masse
Honored Contributor

Re: Delivery HP-UX Audits to another system

It depends on how much "live" you want it to be. Using SCP is probably the best solution since it's secure, but not live and this leaves time for an intruder to interfere with the transfer. Audisp in itself is not live anyway since as I recall, it must be run in a loop to extract logs. Furthermore, since you don't want to use FTP or keys, this leaves few alternatives. I'd use logger(1) or netcat in your case.

FYI, recent releases of 11iv3 have much easier to use tools to extract audit data than audisp.

Good luck
OldSchool
Honored Contributor

Re: Delivery HP-UX Audits to another system

I guess I'm confused...why wouldn't you simply forward the log messages?
Jason S Nadeau
New Member

Re: Delivery HP-UX Audits to another system

We do forward syslog events for realtime insight into the system. However our auditors would like us to have a copy of the audit logs we can search for actions performed by all users. These syscalls are part of the audit applications. The fact we can not see the audit data "live" is not a large concerns as the data is only lagged by 1 hour due to our hourly cron jobs. The main problem I have had with syslog-ng is some of the data appears to be missing and I was wondering if named pipe is perhaps the wrong way to get the data out of audisp tool.

We intially tried piping the output to logger but that was even worse than named pipe monitoring. I have never heard of netcat so I have some research to do.