Linux Audit provides a way to track potential security issues by generating detailed log entries about events occurring on your system.

Device Details

Device NameSyslog - Linux Audit

Vendor

Linux

Device Type

N/A

Supported Model Name/Number

N/A

Supported Software Version(s)

N/A

Collection Method

Syslog

Configurable Log Output?

Yes

Log Source Type

Syslog - Linux Audit

Log Processing Policy

LogRhythm Default

Exceptions

N/A

Additional Information

N/A


Supported Log Messages

TypeProduct VersionSupported Schema Fields
Audit Events 1N/A<severity>, <vmid>, <process>, <amount>, <command>, <vendorinfo>, <object>, <objectname>
Audit Events 2N/A<vmid>, <subject>, <Account>, <process>, <object>, <tag2>, <tag3>, <group>, <sname>, <Sip>, <session>, <tag1>
Callback SuppressedN/A<severity>, <process>, <quantity>
Catch All : Level 1N/A<severity>, <tag1>
Configuration ChangeN/A<severity>, <vmid>, <account>, <session>, <command>, <objectname>, <subject>, <account>
Connection FailedN/A<severity>, <process>, <processid>, <dname>, <dport>
CROND OperationsN/A<severity>, <dname>, <process>, <processid>, <tag1>, <subject>, <tag2>, <login>, <command>
CRONTAB OperationsN/A<severity>, <dname>, <process>, <processid>, <object>
Finished Catalog RunN/A<seveirty>, <process>, <processid>, <object>, <seconds>
General PCI InformationN/A<tag1>, <itemsin>, <process>, <account>, <group>, <session>, <object>, <tag2>
Group Entry MessagesN/A<severity>, <dname>, <process>, <object>, <objectname>, <group>, <domain>, <tag1>
GSSAPI MessagesN/A<severity>, <process>, <subject>, <object>
Kernel Audit MessageN/A<severity>, <processid>, <session>, <command>, <dname>, <dip>, <sname>, <subject>, <quantity>
Last Message RepeatedN/A<severity>, <dname>, <subject>, <quantity>, <url>, <protname>, <responsecode>
NTPD EventN/A<severity>, <dname>, <process>, <processid>, <dip>, <object>
Path InformationN/A<severity>, <object>, <account>, <objectname>
Puppet Agent Command Executed SuccessfullyN/A<severity>, <dname>, <process>, <processid>, <command>
Session InformationN/A<severity>, <process>, <processid>, <account>
SNMPD OperationsN/A<severity>, <dname>, <process>, <processid>, <tag1>, <command>, <tag2>, <protname>, <sip>, <sport>, <dip>, <subject>
System Call ActivityN/A<severity>, <vmid>, <version>, <command>, <result>, <tag2>, <subject>, <parentprocessid>, <processid>, <login>, <account>, <group>, <session>, <process>, <object>, <objectname>
System Call InformationN/A<severity>, <process>, <account>, <session>, <command>, <object>, <objectname>
Systemd : User Logs InN/A<severity>, <process>, <subject>, <action>, <object>


Revision History

KB VersionLog TypeChange TypeDetails
KB 7.1.588.0SyslogDevice Support Update
  • Updated two rules:
    1. Kernel Audit Message
    2. Session Information
  • Added two new base rules:

    1. GSSAPI Messages

    2. Systemd : User Logs In