Flat File - HP-UX Audit Log
Overview
HP-UX is the HP version of the UNIX operating system. HP-UX provides kernel level auditing through its own auditing daemon software. Audit logs are granular and often can eventually generate high enough volumes to fill hard drives if not managed properly. By default, auditing is turned off and must be enabled using the HP-UX SAM tool.
Prerequisites
The flat file collection mechanism used by the agent will reference a file and retain the last log read from the file by state tracking. The following information is required for this process to function properly and should be gathered prior to configuring collection:
- The name of the flat file that will be accessed and collected by the agent.
- The LogRhythm System Monitor Agent used to collect the audit data from the flat file.
Configure HP-UX Kernal Audit
Auditing can be enabled in several ways:
- From the Security section of the SAM graphical user interface. For more information, consult the SAM User’s Manual for the enabling process.
- Use the SAM text interface. For more information, consult the SAM User’s Manual for the enabling process.
- The following command line method can be used, but it is only recommended for testing: audsys –n –c <current auditfilename> -s <current auditfilesize(Kb)>
The flat file used for collection is generated using the “audisp” (Audit Display) command. This will convert any audit file into an ASCII readable file format. The command format is:audisp <filename>
Although customer configurations vary for flat file collection, a cron script should be generated that performs the following steps:
- Copy the existing binary audit file into a rotated log. Example:
audit.logs to audit.log.1
Convert the rotated binary audit file to ASCII as will be expected by the LogRhythm System Monitor Agent performing the collection. See the System Monitor Agent documentation for more information.
Clear any log file that has rotated past its expiration age. Example:
audit.log.10
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is Flat File - HP-UX Audit Log. In addition, when configuring this log source:
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
- File Path. <path to log file, including the file name and extension>
- Date Parsing Format. HPUX Audit Logs [<y><M><d> <h>:<m>:<s>]
- Log Message Start Regex. ^
For information on Directory Collection, see the Basic Properties section in the Log Sources topic of the NextGen SIEM Help.
The file being collected must be viewable on the host with the agent using a standard file name path such as /var/log/logfile.txt or C:\logs\logfile.txt.