Monitoring the audit.log file
Can anyone tell me which linux server/workstation commands/events result in an audt.log record with the messagetype=USER_CMD?
I am building a specialized flexconnector to monitor the audit.log file and want to capture user-typed commands. The USER_CMD messagetype appears to fit the bill, but I need to know more about what events/activities result in this audit.log entry.
Your question is very broad - I would start by googling / audit.rules, auditd and audispd to understand how the auditing works on linux. The audit rules on the systems you are monitoring will dictate what activity will be audited.
You may not actually need a flex, depending on your requirements... things like the syslog SmartConnector already do a decent job of normalising audit logs from linux systems. The problem you may hit is that most of the interesting data is put into the "Additional Data" fields, as well as not translating some field values in the audit logs to be human-readable (and thus not very usable without mapping those ad.fields to usable ones - such as device custom string x and the like).
Thanks for the info, and believe me I have Google's auditd, audit.rules, and audisp looking for answers!
What I am trying to do is create specific rules to capture security related events, such as the use of the 'mount' and 'umount' commands along with su and sudo usage/attempts. I have been successful with these, but was hoping for more events. It appears that I get the best results with the USER_CMD messagetype, which is why I was looking for more information.
By the way, I have found a way to capture human readable information (user names etc.) using the ausearch -i command.
Have you considered using auditd and it's associated logs?
The syslog connector will parse auditd messages by default and auditd is way more informative than std Unix syslog