HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Syslog.conf file configuration

 
Venkatesh_16
Respected Contributor

Syslog.conf file configuration

Hi there,

We gonna have to integrate HP-UX server to a centralized RSA enVision Log management tool for meeting our compliance requirements.

From HP-UX we need to enable the following events by editing the /etc/syslog.conf file:

* All actions taken by any individual with administrative privileges

* Initialization of the audit logs

* Creation and deletion of system-level objects

* Authentication events (Log off/Logon)

* Invalid Logon attempts due to incorrect password.

It would be great if you could let me know the
facility.level combination for the events above. For e.g I'm aware for authentication events I'd use "auth.debug". For other I'm not quite sure about the facility which handles such events. Thank you in advance.

V
3 REPLIES
Venkatesh_16
Respected Contributor

Re: Syslog.conf file configuration

Folks, any takers for this post? I've got points to offer. Thx
Patrick Wallek
Honored Contributor

Re: Syslog.conf file configuration

The majority of these cannot be done with syslog.

You would probably be better off looking at other products and see if that fit a part of what you need.

Things that come to mind --

Role Based Access Control (RBAC) from HP.
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl

PowerBroker from Symark
http://www.symark.com/products/pboverview.html

>>Creation and deletion of system-level objects

I'm not sure what you mean by this.

Rick Garland
Honored Contributor

Re: Syslog.conf file configuration

As mentioned, not everything here can go into syslog facility. There are some 3rd party products that work real well and should satisfy your requirements.

All actions by individual with administrative rights - can use the 'rootsh' in conjunction with sudo. This creates a log file that logs every key stroke. Use this with sudo and you can see when sudo was invoked. The sudo log can be appended to the syslog.

Invalid login - this is logged in the syslog file on a trusted system, can also use the 'last' & 'lastb' commands which come from the wtmp & btmp files

Creation/Deletion of system level objects - unsure exactly what you mean but if you are talking OS level files (or any file for that matter) look into tripwire; it is on the iExpress.

Initialize audit log - the OS will log these events, in the rc.log at boot and typically in the syslog already.

Authentication events - you can get from the 'last' command to see who logon when and for how long.

Unfortunately, not everything will be in 1 location unless you jump through some hoops and customize.