Diffrence between Audit and Unix logs
When I run deviceVendor=Unix I am seeing both Unix and Audit logs from the deviceProduct field (I.e deviceProduct= "Unix" and deviceProduct= "Audit" ).
1) Here please let me know "what is Audit logs" and what is "Unix" logs
2) Suppose if I want to know server reporting status to "Arcsight" then which logs we need to refer (deviceProduct= "Unix" or deviceProduct= "Audit")?
3) From some of the servers I am not seeing Audit logs. - How to get these audit logs. Do we need to enable these audit logs manually in the server if yes - Please provide me the steps.
4) When ever I am seeing Audit logs, I am seeing the deviceHostName field as with the FQDN name (ex: abc.com). If i refer Unix logs Iam seeing the deviceHostName field as without the FQDN name (ex: abc)
5) As per the above point Which one is the correct format (With domain name or with out domain name)?
6) When ever I am seeing the Audit logs then I am getting deviceAddress field. But in Unix logs I am not seeing deviceAddress filed. to get deviceAddress in both cases what needs to be done in the server end?