HPE Community
Operating System - HP-UX
1832990 Members
2571 Online
110048 Solutions
New Discussion

Re: HIDS Alert Log Format

 
SOLVED
Go to solution
KPS
Super Advisor

‎03-26-2007 06:50 AM

‎03-26-2007 06:50 AM

HIDS Alert Log Format

Hi,

We just installed HIDS 4.0 agent on some clients. All is working well except for the format of the alert logs. It seems as though there are control characters in the alert logs and the format is very much of as far as the legibility. Could anyone tell us why we may be seeing this? I'll attach a sample of one of our alert.log files.

Thanks in advance.....

KPS
0 Kudos
4 REPLIES 4
KPS
Super Advisor

‎03-26-2007 06:55 AM

‎03-26-2007 06:55 AM

Re: HIDS Alert Log Format

I just realized after attaching an ASCII format of the alert.log, it looks a little better. This seems a little off, and I was just wondering if this is normal or should it be more legible to the eye?

Thanks,
KPS
0 Kudos
Hein van den Heuvel
Honored Contributor

‎03-26-2007 07:48 AM

‎03-26-2007 07:48 AM

Solution

Re: HIDS Alert Log Format

Well, those 'funny' characters appear to all be a byte with value 1: 0x01

You can make it more readable by bulk replacing them with a newline.

For example:

# perl -pe 's/\001/\n/g' tmp.txt

or

# tr [\001] [\n] < tmp.txt

Hein.



0 Kudos
KPS
Super Advisor

‎03-26-2007 08:22 AM

‎03-26-2007 08:22 AM

Re: HIDS Alert Log Format

Thanks for the response, we're in better shape with better legibility of the alert logs.

0 Kudos
Pierre Pasturel
Respected Contributor

‎03-27-2007 11:11 AM

‎03-27-2007 11:11 AM

Re: HIDS Alert Log Format

Hi KPS -

The alert.log file on each agent was not designed for viewing but is instead a persistent alert respository on each agent in case the admin GUI/CLUI ever needs to retrieve those alerts for viewing. HIDS v4.0 and prior versions require that you use the admin GUI or CLUI to view formatted alerts.

HIDS v4.1 (to be released soon this spring) has a new alert reporting command-line feature that allows you to generate consolidated alert reports across any number of agents. The reports can be generated in HTML, text, or "raw" format. For the "raw" formatted reports, the delimiter character can be configured to be any character. Raw reports facilitates post-processing of alerts by customized scripts that you write, much like the alert response programs allow you to do post-processing of alerts in near real-time. Both the content and the presentation of the HTML and text formatted reports are configurable and, using cron, you can have incremental reports sent periodically to specified email addresses.

HIDS v4.1 will also come with a useful tool for fine tuning schedules by presenting consolidated alerts reports and generating the corresponding filtering rules for those alerts you deem safe to ignore.

HIDS v4.1 also contains a new feature for proactively suppressing duplicate alerts.

A list of new features and benefits will be available in the Release Notes when V4.1 is released.

Pierre
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.