HPE Community
Operating System - HP-UX
1833171 Members
3707 Online
110051 Solutions
New Discussion

Event logging

 
SOLVED
Go to solution
T Raeuchle
New Member

‎08-08-2005 03:09 AM

‎08-08-2005 03:09 AM

Event logging

Is there a logging mechanism that I can turn on that records events such as user login/logout, failed logins, file access, etc.

Thanks

TR
0 Kudos
Reply
8 REPLIES 8
Pete Randall
Outstanding Contributor

‎08-08-2005 03:15 AM

‎08-08-2005 03:15 AM

Re: Event logging

Check out the last and lastb commands.


Pete

Pete
0 Kudos
Reply
Rick Garland
Honored Contributor

‎08-08-2005 03:19 AM

‎08-08-2005 03:19 AM

Re: Event logging

This is enabled by default - check out the last, lastb commands.


Will tell you who logged in when and you failed to login and when.

For su access, look at the /var/adm/sulog

0 Kudos
Reply
Florian Heigl (new acc)
Honored Contributor

‎08-08-2005 03:22 AM

‎08-08-2005 03:22 AM

Re: Event logging

Look for the manuals on the HP-UX trusted system operating mode, this is the way to gather all the data You listed.
yesterday I stood at the edge. Today I'm one step ahead.
0 Kudos
Reply
generic_1
Respected Contributor

‎08-08-2005 03:41 AM

‎08-08-2005 03:41 AM

Solution

Re: Event logging

If you need more details you can turn on auditing, make sure you turn on just what you need and you have sufficient space for the logs. I would suggest a sepparate mount point for the logs.
Reply
Mel Burslan
Honored Contributor

‎08-08-2005 05:14 AM

‎08-08-2005 05:14 AM

Re: Event logging

In addition to all of the above, if you want to log the IP addresses of people who connected to this machine over the network, you can turn on inetd logging by :

/usr/sbin/inetd -k
/usr/sbin/inetd -l

and see the inetd connection IP addresses in your syslog.log
________________________________
UNIX because I majored in cryptology...
0 Kudos
Reply
Michael Selvesteen_2
Trusted Contributor

‎08-08-2005 06:17 PM

‎08-08-2005 06:17 PM

Re: Event logging

Auditing is the better solution for your problem. Use SAM to configure auditing in your machine. Select carefully the events which you need to monitor. Note currently SSH login/logout are not monitored by Auditing.

some important commands releated to auditing

1. audisp -e filename
2. audsys
3. audevent
4. audusr

Hope this helps.
0 Kudos
Reply
Muthukumar_5
Honored Contributor

‎08-08-2005 08:31 PM

‎08-08-2005 08:31 PM

Re: Event logging

For auditing,

login/logout - last command (wtmp file tracking)
bad login - lastb command (btmp file tracking)
file access - You have to turn your system into trusted.

Go to sam -> auditing & security -> audited events, it will ask to ask to turn system trusted mode.

You can use .sh_history file to track which commands are executed with which file. You have to enable in /etc/profile for history logging as,

set -o $EDITOR
export $HISTFILE=$HOME/.sh_history
export $HISTSIZE=1000

hth.
Easy to suggest when don't know about the problem!
0 Kudos
Reply
Mahesh Kumar Malik
Honored Contributor

‎08-08-2005 11:28 PM

‎08-08-2005 11:28 PM

Re: Event logging

Hi TR

Logging fetures are available when you have Trusted System Environment. Once you have Trusted System, enable Auditing and ites options to enable logging of login/logout, failed logins, file access, etc

Regards
Mahesh
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.