New Member.

Best auditd configuration to audit linux system - Translation of UID GID in logs

Hi all,

I'm surprise that Linux system is not really good monitored.

I mean that, when we receive a log in ArcSight, We received only the UID and GID of a user.

But, it's not enough to analyse who made an action.

Another exemple, when you create a user on linux, or move it on a group, you can't see who is the initiator of the action.

The only information is uid:756, but when you have lot of system to monitor you don't have any idea on who is user 756!

I'm surprise that ArcSight doesn't deliver a documentation that describe how to tranlsate GID and UID in our logs.

In addition, what is the best auditd configuration?

I'm not an Unix specialist, and I'm not sure what is the best audit log configuration to apply to a Linux system.

I meand having:

Who made the action


What actions?

Using what command?


In my point of view this point should be increased for correct linux monitoring. Or at least a template should be given in arcsight documentation, that fit CIS or NIST recommendation for auditd configuration

Your advices/opinions are welcome


Labels (1)
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.