The Linux Knowledge Pack expands the auditing and reporting capabilities of InTrust to SuSE Linux Enterprise Server, Red Hat Enterprise Linux, Oracle Linux and Debian GNU/Linux. The Knowledge Pack enables InTrust to work with Syslog and text logs.
The following table shows what you can audit and monitor on Linux:
Data Source | Gathering | Real-Time Monitoring |
---|---|---|
Syslog messages | X | X |
Text logs of any format | X | |
Configuration file modification | X | X |
For details about Linux distribution versions that InTrust can audit and monitor, see the following topics:
To prepare a Linux host, you need to install an InTrust agent and adjust the configuration of the Syslog flavor used. Currently, agents must be installed manually on each Linux host you want to cover.
An alternative agent-free approach, which is not covered in this topic, is to use Syslog forwarding to an InTrust server. For details about this method, see Setting Up Gathering of Syslog Data.
The Linux Knowledge Pack is installed on top of an existing InTrust installation. The following objects are included:
|
Note: To work with Oracle Linux and Debian GNU/Linux, use the data sources, policies and sites designed for Red Hat Enterprise Linux. |
InTrust agents must be installed manually on Linux hosts. For details, see Installing Agents Manually on Linux Computers.
InTrust takes advantage of the Syslog logging system on Linux computers. Syslog provides data for auditing and real-time monitoring activities.
Syslog functionality is provided by a syslogd daemon, which accepts messages from various sources that support logging, and either writes these messages to files or passes them on to other hosts in the network. There are multiple implementations of the daemon, including rsyslog and syslog-ng; these systems and keep their configuration files in different locations and have different sets of options.
When you install the InTrust agent on the Linux host, the necessary entries are automatically added to Syslog configuration. You do not have to modify any InTrust-related settings manually. However, if you use classic syslogd, it is up to you how you configure redirection of messages to other destinations.
NOTE: Prior to InTrust 11.3.2, a few manual Syslog configuration steps could be necessary to make Syslog gathering and real-time monitoring work. If you install the agent as part of an upgrade from version 11.3.1 or earlier to the current version, the new agent detects and updates the manual configuration. This activity is captured by Syslog. To confirm that it was successful, find Syslog messages that contain the string "SyslogConf::fix_rsyslog_file". |
Reception of forwarded Syslog messages relies on named pipes, which have limited capacity. If a pipe opened for incoming messages becomes full, then messages will be skipped. This is a difficult situation to diagnose, but if you know or suspect it is happening on your message-receiving host, you can try increasing the pipe size.
The following is a sample Perl script that sets the maximum capacity for the pipe required by InTrust. Run it (or a variation of it) on the InTrust agent host that captures Syslog messages.
#!/usr/bin/perl
use Fcntl;
use constant
{
F_SETPIPE_SZ => 1031,
F_GETPIPE_SZ => 1032,
};
###################################################################
$MaxPipeBufPath = "/proc/sys/fs/pipe-max-size";
sysopen(Handle, $MaxPipeBufPath, O_RD) or die "sysopen failed: $!";
$MaxPipeBuf = readline(Handle) or die "readline failed: $!";
close Handle;
print "\n" . "max pipe buffer size = " . $MaxPipeBuf . "\n";
###################################################################
$FilePath = "/var/log/intrust_syslog";
sysopen(Handle, $FilePath, O_RD);
$CurrBuf = fcntl(Handle, F_GETPIPE_SZ, 0) or die "fcntl failed: $!";
print "current pipe buffer size = " . $CurrBuf . "\n";
###################################################################
if( int($CurrBuf) < int($MaxPipeBuf) )
{
fcntl(Handle, F_SETPIPE_SZ, int($MaxPipeBuf) ) or die "fcntl failed: $!";
print "new pipe buffer size = " . fcntl(Handle, F_GETPIPE_SZ, 0) . "\n";
}
###################################################################
close Handle;
© ALL RIGHTS RESERVED. 이용 약관 개인정보 보호정책 Cookie Preference Center