New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Ensign
Ensign
778 views

Documentation on Unix continuous monitoring?

Jump to solution

We are trying to set up some reporting on Unix monitoring such as:

User creation
User Deletion

User Modification of Privileges

I have been struggling to find documentation that would help me set up the filters for these queries.  We have all the systems reporting in auditd events, but I just can't find what ArcSight would be reporting for these events to be able to filter it.

Any help is appreciated.  Thank You!

0 Likes
1 Solution

Accepted Solutions
Highlighted
Fleet Admiral
Fleet Admiral

Unfortunately the method of generation of audit messages is pretty similar between Linux variants, but the messages themselves do vary - SUSE is different to Redhat for example. I do find that RHEL is more detailed and extensive and seems to generate better value messages, but that could be just me based on my experience only.

However, I have always used the Red Hat documentation to support any rules that I have built out. RHEL documentation is pretty good and extensive and you can find a pretty good list of the audit message types here:

B.2. Audit Record Types

Creating rules based on types of activity, such as SU to root or when a file type is changed to an executable, are all there and you can quickly add the rules required. But clearly this is use case dependent. 

View solution in original post

0 Likes
6 Replies
Highlighted
Vice Admiral
Vice Admiral

Dear burnsie

You must install syslog-ng on your unix host. Then in this package you can filter any things you want. Install arcsight smart connector for syslog-ng and pars all of things you want to destinations. 


BR

Amir

0 Likes
Highlighted
Ensign
Ensign

Hi Amir,

All Unix hosts are reporting their logs to ArcSight already.  At this point we are working to generate reports on the logs that we are receiving.  I dug through the documentation to try and find a listing of the logs that are generated when ArcSight normalizes the Unix logs.  It seems as if the Device Event Class ID may be unique to each type of event, yet there is no documentation on what these ID's are related to.  At least, none that I have been able to find.  I was hoping that there would be some sort of listing or guidance of these somewhere.

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

Unfortunately the method of generation of audit messages is pretty similar between Linux variants, but the messages themselves do vary - SUSE is different to Redhat for example. I do find that RHEL is more detailed and extensive and seems to generate better value messages, but that could be just me based on my experience only.

However, I have always used the Red Hat documentation to support any rules that I have built out. RHEL documentation is pretty good and extensive and you can find a pretty good list of the audit message types here:

B.2. Audit Record Types

Creating rules based on types of activity, such as SU to root or when a file type is changed to an executable, are all there and you can quickly add the rules required. But clearly this is use case dependent. 

View solution in original post

0 Likes
Highlighted
Cadet 1st Class
Cadet 1st Class
Yes it is really nice man! Have you created already use cases ?
0 Likes
Highlighted
Ensign
Ensign

Paul,

Thank You!  That is exactly what I needed to get pointed in the right direction!

I would also like to thank you for putting your videos on YouTube.  It has helped to broaden my skills with ArcSight.  Hopefully I will be able to attend some official training in the future.

0 Likes
Highlighted
Fleet Admiral
Fleet Admiral

I think this resource will be the best place for you to understand what the different types of events are:

Chapter 7. System Auditing - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.