Highlighted
Absent Member.
Absent Member.
465 views

HP-UX audit log on Arcsight ESM

Hello,

I collect audit logs from HP-UX 11i v3 servers and send them to Arcsight Smart connector.  Smart connector sends audit logs to ESM.

But some parameters of logs do not appear in ESM.  For example, I only can see rm command executed. But removed file's name, path, command options do not appear.

How to show full logs in ESM?

Thanks,

Labels (2)
0 Likes
2 Replies
Highlighted
Absent Member.
Absent Member.

Hi Tsengel,

Are you using the latest smart connector ?

A screenshot would be helpful in order to identify also check in raw logs whether the information is present ?

0 Likes
Highlighted
Absent Member.
Absent Member.

Smart connector version is below.

7.1.7.7600.0

# cat version.txt

X7600

HP-UX audit log:

ESM RAW data:

RAW   CEF:0|HP|HP-UX Binary Audit||mkdir|mkdir|Unknown| eventId=2426540456 end=1469002092000 mrt=1468980566910 art=1468980558388 cnt=1 type=0 priority=2 start=1469002092000 modelConfidence=0 severity=0 relevance=10 locality=Local assetCriticality=0rt=1469002092000 cs1=1 cs2=0: -1:finsit:201607200007 cs3=(none) cs4=dba cs5=106(dba) cs6=0 originator=0 suser=finsit suid=115 sproc=3739 spriv="BASIC" c6a4=fe80:0:0:0:250:56ff:feaf:391b categoryDeviceType=Applications aid=3647O-FUBABDz-5kVNPHDLg== at=hpuxaudit_fileav=7.1.7.7600.0 atz=Asia/Ulaanbaatar ahost=test.testservice.local agt=192.168.1.1 agentZone=3380 agentAssetId=4iDlFg1MBABDw3s0gZttvuQ== dtz=Asia/Ulaanbaatar dvchost=cbuat lblString1Label=Parent PID lblString2Label=Audit Tag lblString3Label=TTY lblString4Label=RealGroup lblString5Label=Groups lblString6Label=ReturnValue1 lblNumber1Label=GroupID lblNumber2Label=Effective UID lblIpv6Address4Label=Agent IPv6 Address oaid=3647O-FUBABDz-5kVNPHDLg== oat=hpuxaudit_file oav=7.1.7.7600.0 oatz=host=test.testservice.local oagt=192.168.1.1 oagentZone=3380 oagentAssetId=4iDlFg1MBABDw3s0gZttvuQ== fDeviceVendor=HP fDeviceProduct=HP-UX Binary Audit fdtz=Asia/Ulaanbaatar fdvchost=cbuat

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.