Chat now with support
Chat with Support

InTrust 11.4.1 - Preparing for Auditing and Monitoring HP-UX

InTrust Configuration

After you have taken all the necessary configuration steps on the target HP-UX hosts, the InTrust Manager snap-in takes over all auditing and real-time monitoring operations. This section describes HP-UX-specific settings that are not explained in the other InTrust documentation.

For more details, see the topics about the specific data sources:

The “HP-UX Syslog” and “HP-UX Audit Log” data sources represent the HP-UX audit trails. The "HP-UX Text File Monitoring" and “HP-UX Account Monitoring” data sources work with files that are not audit trails.

 

HP-UX Syslog

Syslog auditing and real-time monitoring is based on the flow of data intended for the syslogd daemon. The “HP-UX Syslog” data source is used to analyze the data flow and capture only the necessary portions of it.

This data source uses a list of regular expressions. When the data source is working, it applies the expressions, in the order specified, to each message. The order of the regular expressions matters because message processing stops as soon as the message matches one of the expressions.

When parsing takes place, pairs of parentheses are used in regular expressions to break messages up into numbered fields.

For example, the following regular expression:

^(.{15}) ((?:[[:digit:]][[:alpha:]])?):?([-[:alnum:]_.]+) (su): ((\+) ([[:alnum:]\?]+) (.*)-(.*))

matches the following message:

Mar 5 19:19:02 6E:spb9460 su: + 2 user2-root

The result is an event with the following fields:

Field Name Field Number

Field Contents

Computer

3

spb9460

Description 5

+ 4 user2-root

Event Source

4

su
Insertion String #1

5

+ 4 user2-root
Insertion String #11

9

root
Insertion String #12

7

4
Insertion String #14

2

6E
Insertion String #8

8

user2

The last regular expression in the predefined data source is designed to match any message. This ensures that the message is not lost. The result of this regular expression is an event where the Description and Insertion String #1 fields both contain the descriptive part of the message, if a descriptive part is present.

It is not recommended that you modify predefined regular expressions in the data source. These expressions are required for the reports that come with the HP-UX Knowledge Pack. These reports will ignore any data resulting from the use of custom regular expressions.

If you create a custom Syslog data source with your own regular expressions, make sure you use customized reports based on the data that these regular expressions help capture.

Caution: Including a lot of complex regular expressions in the data source may slow down Syslog processing significantly.

HP-UX Audit Log

In InTrust Manager, the HP-UX Audit log is represented by the “HP-UX Audit Log” data source. Use this data source in any gathering, consolidation and import policies that need to work with Audit log data.

For information about the format of the resulting event records, see Data Collected from Audit Log.

Text File Monitoring Data Sources

The “HP-UX Account Monitoring” and “HP-UX Text File Monitoring” scripted data sources are designed to parse specified files. Real-time monitoring rules use these data sources to monitor the files for changes.

Caution: These scripted data sources are not designed for general-purpose auditing and monitoring of text-based logs. They should be used only on configuration files that preferably do not exceed 100 kilobytes. To collect large text-based logs, use Custom Text Log Events data sources, as described in Auditing Custom Logs with InTrust.

To specify the file paths, edit the appropriate parameters of the data sources. For example, to monitor the /etc/hosts.allow and /etc/hosts.deny files, take the following steps:

  1. Open the properties of the “HP-UX Text File Monitoring” data source.
  2. On the Parameters tab, select the TextFiles parameter and click Edit.
  3. Supply “/etc/hosts.allow” and “/etc/hosts.deny” in the dialog box that appears.

Similarly, you can edit the UsersFile and GroupsFile parameters of the “HP-UX account monitoring” data source if the location of the passwd and groups files differs from the default on your HP-UX hosts.

Note: Monitoring the passwd and groups files makes sense if your HP-UX environment does not use a directory solution. With a directory in place, information in these files is not important or representative.

Related Documents