HPE Community
Operating System - HP-UX
1832059 Members
2989 Online
110034 Solutions
New Discussion

Can't get commands in audit logs

 
MohitAnchlia
Frequent Advisor

‎09-29-2006 10:26 AM

‎09-29-2006 10:26 AM

Can't get commands in audit logs

I enabled auditing through SAM but can't get the commands, login, logout etc. in audit logs. I checked the user events, list of users etc. and everything seems to be alright in terms of what we want to have audited.After enabling auditing I haven't changed any events so isn't it supposed to log everything.Despite of enabling auditing, nothing is being logged. When I check audit log that points to /.secure/etc in sam I just see few commands executed by root, but not all. for eg: this is what I see:

│ Audit Log [ ] Automatic Scrolling│
│ ┌───────────────────────────────────────────────────────────────────────────┐│
│ │ All users are selected. ^│
│ │ All events are selected. │
│ │ All ttys are selected. │
│ │ Selecting successful & failed events. │
│ │ TIME PID E EVENT PPID AID RUID RGID │
│ │ │
│ │ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ │
│ │ 060929 14:12:22 2512 S 57 844 0 0 0 │
│ │ [ Event=utssys; User=root; Real Grp=root; Eff.Grp=root; ] │
│ │ │
│ │ RETURN_VALUE 1 = 0; │
│ │ PARAM #1 (addr of char) = 2132456936 │
│ │ PARAM #2 (int) = 0 │
│ │ PARAM #3 (int) = 0 │
│ │ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ │
│ │ 060929 14:12:23 2512 S 60 844 0 0 0 │
│ │ [ Event=umask; User=root; Real Grp=root; Eff.Grp=root; ] │
│ │ │
│ │ RETURN_VALUE 1 = 0; │
│ │ PARAM #1 (int) = 0 │
│ │ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0 Kudos
Reply
4 REPLIES 4
IT_2007
Honored Contributor

‎09-29-2006 03:20 PM

‎09-29-2006 03:20 PM

Re: Can't get commands in audit logs

Could you please post /etc/rc.config.d/auditing information so that I cantell you why it is not logging.

0 Kudos
Reply
MohitAnchlia
Frequent Advisor

‎09-29-2006 03:42 PM

‎09-29-2006 03:42 PM

Re: Can't get commands in audit logs

I enabled it through SAM. Somebody told me on this site that if you use sam to enable auditing then auditing file is ignored. But I can tell you that it has all default events set and all the users are listed for audit
0 Kudos
Reply
IT_2007
Honored Contributor

‎09-29-2006 03:47 PM

‎09-29-2006 03:47 PM

Re: Can't get commands in audit logs

I haven't done through sam. But I am sure there might be some options you might have missed. If you want to do it through /etc/rc.config.d/auditing then I can help you out.
0 Kudos
Reply
MohitAnchlia
Frequent Advisor

‎09-30-2006 05:48 AM

‎09-30-2006 05:48 AM

Re: Can't get commands in audit logs

Sure, if you can tell me how to do that in auditing that would be great too
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.