System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Syslog.conf file configuration

Venkatesh_16
Respected Contributor

Syslog.conf file configuration

Hi there,

We gonna have to integrate HP-UX server to a centralized RSA enVision Log management tool for meeting our compliance requirements.

From HP-UX we need to enable the following events by editing the /etc/syslog.conf file:

* All actions taken by any individual with administrative privileges

* Initialization of the audit logs

* Creation and deletion of system-level objects

* Authentication events (Log off/Logon)

* Invalid Logon attempts due to incorrect password.

It would be great if you could let me know the
facility.level combination for the events above. For e.g I'm aware for authentication events I'd use "auth.debug". For other I'm not quite sure about the facility which handles such events. Thank you in advance.

V
3 REPLIES
Venkatesh_16
Respected Contributor

Re: Syslog.conf file configuration

Folks, any takers for this post? I've got points to offer. Thx
Patrick Wallek
Honored Contributor

Re: Syslog.conf file configuration

The majority of these cannot be done with syslog.

You would probably be better off looking at other products and see if that fit a part of what you need.

Things that come to mind --

Role Based Access Control (RBAC) from HP.
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=AccessControl

PowerBroker from Symark
http://www.symark.com/products/pboverview.html

>>Creation and deletion of system-level objects

I'm not sure what you mean by this.

Rick Garland
Honored Contributor

Re: Syslog.conf file configuration

As mentioned, not everything here can go into syslog facility. There are some 3rd party products that work real well and should satisfy your requirements.

All actions by individual with administrative rights - can use the 'rootsh' in conjunction with sudo. This creates a log file that logs every key stroke. Use this with sudo and you can see when sudo was invoked. The sudo log can be appended to the syslog.

Invalid login - this is logged in the syslog file on a trusted system, can also use the 'last' & 'lastb' commands which come from the wtmp & btmp files

Creation/Deletion of system level objects - unsure exactly what you mean but if you are talking OS level files (or any file for that matter) look into tripwire; it is on the iExpress.

Initialize audit log - the OS will log these events, in the rc.log at boot and typically in the syslog already.

Authentication events - you can get from the 'last' command to see who logon when and for how long.

Unfortunately, not everything will be in 1 location unless you jump through some hoops and customize.