|
|
Sponsored Content
Operating Systems
Solaris
audit log timestamps in GMT
Post 302555145 by chinchao on Wednesday 14th of September 2011 04:48:34 AM
09-14-2011
|
|
10 More Discussions You Might Find Interesting
1. Solaris
I got a lot of this message in my /var/audit log
how can I exclude this message?
header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument
,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies
2. AIX
Hi guys,
I've googled this quite a bit, and tried searching on these forums, but haven't found a solution to my problem. I wanted to inquire about AIX's audit subsystem - more specifically, how to rotate its log file.
So far I've been able to find how to rotate AIX syslog log files, and I... (2 Replies)
Discussion started by: w1r3d
2 Replies
3. Solaris
hi all,
i enabled audit in my server it is working fine, now i want to delete old logs from audit file ,plz find a solution for it,
Regards
spandan (2 Replies)
Discussion started by: spandhan
2 Replies
4. Cybersecurity
Hi,
I keep encountering events in the BSM/C2 logs which shows that the audit-user who performed the event is the user (e.g. ongkk in the example below). However, the user is able to show me that he wasn't logged in at that time nor have the rights to perform the event (e.g. su in this example).... (5 Replies)
Discussion started by: BERNIELEE68
5 Replies
5. Solaris
How do i find if audit logs is secured inside Solaris 10?
· Verify that that audit log files are secured and owned appropriately.
this is the question (1 Reply)
Discussion started by: werbotim
1 Replies
6. AIX
Dear All
When I start the AIX(6100-06)audit subsystem.
the log will save in /audit/stream.out (or /audit/trail), but in default when /audit/stream.out to grow up to 150MB.
It will replace the original /audit/stream.out (or /audit/trail).
Then the /audit/stream.out become empty and... (2 Replies)
Discussion started by: nnnnnnine
2 Replies
7. Shell Programming and Scripting
Hi, everyone
I would like to write ksh script in ksh (HP-UX), to audit any changes inside target directories.
My enviroment has many constrains, so I can only use ksh and cannot install
any 3rd party soft or command (include perl or other languages)
The script functions like below
1) take a... (1 Reply)
Discussion started by: stev.h
1 Replies
8. Red Hat
Hi,
I'm fairly new to administering RedHat (or any Linux system for that matter), and was wondering if someone could help me work out how to best manage audit logs.
In a nutshell, this is what I need to do:
- Compress audit.log file(s) once a month and delete the originals
- The... (0 Replies)
Discussion started by: Seonix
0 Replies
9. SuSE
Dear users,
I have SLES 11 and SLES 10 servers.
I'd like to receive an alert when audit log files reach certain percentage of full.
1. Is '/etc/audit/auditd.conf' the right file to modify?
2. I'd like to receive email alert. Can I specify my email in this parameter 'action_mail_acct... (1 Reply)
Discussion started by: JDBA
1 Replies
10. Shell Programming and Scripting
I am trying to parse the audit log to find a particular date that associated with a user record. The Date and the context of the record that I need to extract from the audit.log are 11-07-2015, the username and the activity he or she performed that day.
Here is my code:
grep -c date -d... (3 Replies)
Discussion started by: dellanicholson
3 Replies
LEARN ABOUT FREEBSD
auditreduce
AUDITREDUCE(1) BSD General Commands Manual AUDITREDUCE(1) NAME
auditreduce -- select records from audit trail files SYNOPSIS
auditreduce [-A] [-a YYYYMMDD[HH[MM[SS]]]] [-b YYYYMMDD[HH[MM[SS]]]] [-c flags] [-d YYYYMMDD] [-e euid] [-f egid] [-g rgid] [-j id] [-m event] [-o object=value] [-r ruid] [-u auid] [-v] [file ...] DESCRIPTION
The auditreduce utility selects records from the audit trail files based on the specified criteria. Matching audit records are printed to the standard output in their raw binary form. If no file argument is specified, the standard input is used by default. Use the praudit(1) utility to print the selected audit records in human-readable form. The options are as follows: -A Select all records. -a YYYYMMDD[HH[MM[SS]]] Select records that occurred after or on the given datetime. -b YYYYMMDD[HH[MM[SS]]] Select records that occurred before the given datetime. -c flags Select records matching the given audit classes specified as a comma separated list of audit flags. See audit_control(5) for a description of audit flags. -d YYYYMMDD Select records that occurred on a given date. This option cannot be used with -a or -b. -e euid Select records with the given effective user ID or name. -f egid Select records with the given effective group ID or name. -g rgid Select records with the given real group ID or name. -j id Select records having a subject token with matching ID, where ID is a process ID. -m event Select records with the given event name or number. This option can be used more then once to select records of multiple event types. See audit_event(5) for a description of audit event names and numbers. -o object=value file Select records containing path tokens, where the pathname matches one of the comma delimited extended regular expression con- tained in given specification. Regular expressions which are prefixed with a tilde ('~') are excluded from the search results. These extended regular expressions are processed from left to right, and a path will either be selected or deslected based on the first match. Since commas are used to delimit the regular expressions, a backslash ('') character should be used to escape the comma if it is a part of the search pattern. msgqid Select records containing the given message queue ID. pid Select records containing the given process ID. semid Select records containing the given semaphore ID. shmid Select records containing the given shared memory ID. -r ruid Select records with the given real user ID or name. -u auid Select records with the given audit ID. -v Invert sense of matching, to select records that do not match. EXAMPLES
To select all records associated with effective user ID root from the audit log /var/audit/20031016184719.20031017122634: auditreduce -e root /var/audit/20031016184719.20031017122634 To select all setlogin(2) events from that log: auditreduce -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 Output from the above command lines will typically be piped to a new trail file, or via standard output to the praudit(1) command. Select all records containing a path token where the pathname contains /etc/master.passwd: auditreduce -o file="/etc/master.passwd" /var/audit/20031016184719.20031017122634 Select all records containing path tokens, where the pathname is a TTY device: auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 Select all records containing path tokens, where the pathname is a TTY except for /dev/ttyp2: auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 SEE ALSO
praudit(1), audit_control(5), audit_event(5) HISTORY
The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. AUTHORS
This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Addi- tional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. BSD
January 24, 2004 BSD