1:15 p.m.
What do the users of this list use to read the log files? I have tried Spacewalk (which is
nice) but is a lot of software to install to read logs. I have looked at Prewikka but do
not have it totally configured yet to give it a OK or not.
This e-mail and any files transmitted with it may be proprietary and are intended solely
for the use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the
author and do not necessarily represent those of ITT Corporation. The recipient should
check this e-mail and any attachments for the presence of viruses. ITT accepts no
liability for any damage caused by any virus transmitted by this e-mail.
1:27 p.m.
On Fri, 2011-06-17 at 14:15 -0400, Pittigher, Raymond - ES wrote:
What do the users of this list use to read the log files? I have
tried
Spacewalk (which is nice) but is a lot of software to install to read
logs. I have looked at Prewikka but do not have it totally configured
yet to give it a OK or not.
My experiences (I assume you specifically mean the audit logs):
Prewikka would be for IDS events only with the prelude plugin.
I use the audit-viewer with pre-constructed list tabs to match events
necessary for verification testing.
For faster results when looking for specific events or investigation, I
use the command line tools aureport and ausearch.
What would be great IMHO is to have a prewikka-like web interface for
the audit events.
HTH,
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
1:32 p.m.
_______________________________________
From: LC Bruzenak [lenny(a)magitekltd.com]
Sent: Friday, June 17, 2011 2:27 PM
To: Pittigher, Raymond - ES
Cc: linux-audit(a)redhat.com
Subject: Re: log files
On Fri, 2011-06-17 at 14:15 -0400, Pittigher, Raymond - ES wrote:
What do the users of this list use to read the log files? I have
tried
Spacewalk (which is nice) but is a lot of software to install to read
logs. I have looked at Prewikka but do not have it totally configured
yet to give it a OK or not.
My experiences (I assume you specifically mean the audit logs):
Prewikka would be for IDS events only with the prelude plugin.
I use the audit-viewer with pre-constructed list tabs to match events
necessary for verification testing.
For faster results when looking for specific events or investigation, I
use the command line tools aureport and ausearch.
What would be great IMHO is to have a prewikka-like web interface for
the audit events.
HTH,
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
I also used the au tools (aureport, aufind, etc) but just wanting a average user to view
the bad events brings the need of a point a click interface. The people that now read the
audit events for the windows servers are spoiled by the cornerbowl tool. I tossed together
a little script that dumps the audit events into a array, then sorts them and dumps them
out but the users want a red background for bad and so on. Before I went crazy trying to
put something together I wanted to see what was out in the wild. I guess something that
dumps the files into a MySQL tables would be the easiest to work with.
This e-mail and any files transmitted with it may be proprietary and are intended solely
for the use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the
author and do not necessarily represent those of ITT Corporation. The recipient should
check this e-mail and any attachments for the presence of viruses. ITT accepts no
liability for any damage caused by any virus transmitted by this e-mail.
1:57 p.m.
On Fri, 2011-06-17 at 14:32 -0400, Pittigher, Raymond - ES wrote:
What would be great IMHO is to have a prewikka-like web interface
for
the audit events.
There is a audisp plugin for prelude:
$ repoquery -qf /sbin/audisp-prelude
audispd-plugins-0:2.1.2-1.fc16.x86_64
http://people.redhat.com/sgrubb/audit/prelude.txt
1:38 p.m.
On Friday, June 17, 2011 02:15:19 PM Pittigher, Raymond - ES wrote:
What do the users of this list use to read the log files? I have
tried
Spacewalk (which is nice) but is a lot of software to install to read
logs. I have looked at Prewikka but do not have it totally configured yet
to give it a OK or not.
The audit log files are intended to be read with ausearch. You can also use vi or less
or emacs as long as you don't change anything. :) But ausearch has more knowledge
about the logs and can make it easier to understand.
The aureport tool can give columnar and summary information about the logs. It can
also take the raw output of ausearch as input if you want to do anything fancy. (See
the http://magazine.hackinthebox.org/issues/HITB-Ezine-Issue-005.pdf article about the
audit system for examples of combining ausearch and aureport.)
Aulast can tell you about login sessions and give you command line queries to extract
information about a particular login session. (This is newer and not available in
older audit package releases.)
As for syslog and application log files, I'm sure there are a lot of tools.
-Steve
4936
days inactive
4936
days old
linux-audit@lists.linux-audit.osci.io
4 comments
4 participants
participants (4)
-
Dominick Grift -
LC Bruzenak -
Pittigher, Raymond - ES -
Steve Grubb