HPE Community
Operating System - HP-UX
1755132 Members
3158 Online
108830 Solutions
New Discussion юеВ

Can't get commands in audit logs

 
MohitAnchlia
Frequent Advisor

тАО09-29-2006 10:26 AM

тАО09-29-2006 10:26 AM

Can't get commands in audit logs

I enabled auditing through SAM but can't get the commands, login, logout etc. in audit logs. I checked the user events, list of users etc. and everything seems to be alright in terms of what we want to have audited.After enabling auditing I haven't changed any events so isn't it supposed to log everything.Despite of enabling auditing, nothing is being logged. When I check audit log that points to /.secure/etc in sam I just see few commands executed by root, but not all. for eg: this is what I see:

тФВ Audit Log [ ] Automatic ScrollingтФВ
тФВ тФМтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФАтФРтФВ
тФВ тФВ All users are selected. ^тФВ
тФВ тФВ All events are selected. тФВ
тФВ тФВ All ttys are selected. тФВ
тФВ тФВ Selecting successful & failed events. тФВ
тФВ тФВ TIME PID E EVENT PPID AID RUID RGID тФВ
тФВ тФВ тФВ
тФВ тФВ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ тФВ
тФВ тФВ 060929 14:12:22 2512 S 57 844 0 0 0 тФВ
тФВ тФВ [ Event=utssys; User=root; Real Grp=root; Eff.Grp=root; ] тФВ
тФВ тФВ тФВ
тФВ тФВ RETURN_VALUE 1 = 0; тФВ
тФВ тФВ PARAM #1 (addr of char) = 2132456936 тФВ
тФВ тФВ PARAM #2 (int) = 0 тФВ
тФВ тФВ PARAM #3 (int) = 0 тФВ
тФВ тФВ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ тФВ
тФВ тФВ 060929 14:12:23 2512 S 60 844 0 0 0 тФВ
тФВ тФВ [ Event=umask; User=root; Real Grp=root; Eff.Grp=root; ] тФВ
тФВ тФВ тФВ
тФВ тФВ RETURN_VALUE 1 = 0; тФВ
тФВ тФВ PARAM #1 (int) = 0 тФВ
тФВ тФВ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0 Kudos
Reply
4 REPLIES 4
IT_2007
Honored Contributor

тАО09-29-2006 03:20 PM

тАО09-29-2006 03:20 PM

Re: Can't get commands in audit logs

Could you please post /etc/rc.config.d/auditing information so that I cantell you why it is not logging.

0 Kudos
Reply
MohitAnchlia
Frequent Advisor

тАО09-29-2006 03:42 PM

тАО09-29-2006 03:42 PM

Re: Can't get commands in audit logs

I enabled it through SAM. Somebody told me on this site that if you use sam to enable auditing then auditing file is ignored. But I can tell you that it has all default events set and all the users are listed for audit
0 Kudos
Reply
IT_2007
Honored Contributor

тАО09-29-2006 03:47 PM

тАО09-29-2006 03:47 PM

Re: Can't get commands in audit logs

I haven't done through sam. But I am sure there might be some options you might have missed. If you want to do it through /etc/rc.config.d/auditing then I can help you out.
0 Kudos
Reply
MohitAnchlia
Frequent Advisor

тАО09-30-2006 05:48 AM

тАО09-30-2006 05:48 AM

Re: Can't get commands in audit logs

Sure, if you can tell me how to do that in auditing that would be great too
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.