Best auditd configuration to audit linux system - Translation of UID GID in logs
I'm surprise that Linux system is not really good monitored.
I mean that, when we receive a log in ArcSight, We received only the UID and GID of a user.
But, it's not enough to analyse who made an action.
Another exemple, when you create a user on linux, or move it on a group, you can't see who is the initiator of the action.
The only information is uid:756, but when you have lot of system to monitor you don't have any idea on who is user 756!
I'm surprise that ArcSight doesn't deliver a documentation that describe how to tranlsate GID and UID in our logs.
In addition, what is the best auditd configuration?
I'm not an Unix specialist, and I'm not sure what is the best audit log configuration to apply to a Linux system.
I meand having:
Who made the action
Using what command?
In my point of view this point should be increased for correct linux monitoring. Or at least a template should be given in arcsight documentation, that fit CIS or NIST recommendation for auditd configuration
Your advices/opinions are welcome