Carlosdl   29820 pts.  |   Aug 13 2009  1:51PM GMT

Are you investigating some specific problem ? If so, could you please provide more details ?

Linux logs are often more informative than windows, so you might not need that event id table for troubleshooting.

Dharmagrao   100 pts.  |   Aug 14 2009  3:19AM GMT

Hi Carlosdl,

Welcoming you on your suggestions, Iam looking specific event ID on unix . Thear are thousnds of event ID in Microsoft Windows/XP and VISTA etc.

Similar way looking for unix event ID. I would to correlate and implement with Arcsight. If you have info. please share.

Thanks in advance.

Dharma

Sds9985   365 pts.  |   Aug 14 2009  3:32PM GMT

Linux doesn’t have event ID’s like Windows. Each program can generate log entires to the system logging facility, syslogd (or rsyslogd on some new distros). Programs send log entries with a “facility” parameter which describes the source of the message and a “level”, which describes the urgency of the problem. Syslog can be confiured in /etc/(r)syslog.conf to do a variety of things with these messages, filtering by facility and/or level. Messages can be routed to various files (usually under /var/log as mentioned), sent to some other machine for centralized logging, sent to the console, etc. Rsyslog is newer than syslog and has more options for log message handling, like SNMP traps and insertions into a MySQL database.

Linux admins usually use some utility like swatch or logwatch to monitor system logs. These utilities watch for specific patterns of error messages coming from specific programs and take some action when a specific type of error message is seen.

Get familiar with how to use man pages and look at the man pages for (r)syslogd, {r}syslog.conf and logwatch for further details. Many of these log analyer utilities have web sites with blogs/discussions, knowledge bases, examples, tutorials and documents.

The logger command is useful to test your log monitor - you can generate a sample log message wth ant facility or level setting to check and tune your configuration.

If you’re using ArcSight, you should be able to set up /etc/(r)syslog.conf on your linux system to redirect all log messages to the ArcSight box and let ArcSight do the analysis and montoring. Like this:

*.* @{ArcSight_IP_Addr}

Substitue the IP address of the ArcSight appliance for {ArcSight_IP_Addr} and this rule would send everything there.

Dharmagrao   100 pts.  |   Aug 17 2009  6:02PM GMT

Hi

Like Windows event IDs numbers 6005, 6006, 6008, and 6009.

I want to know in UNIX environment event ids, if I get the events so Iam going to implement in ArcSight log monitoring tool.

Please suggest from your side.

Thanks in advance.
Dharma

AW12   10 pts.  |   Sep 3 2009  5:53PM GMT

Speaking of the Sylog, is there a newbie guide on setting up file directories for auditing, and what the syslog file configuration to capture that information and send to something like Arcsight?

For example:

Auth @IPadress

is what I use to capture the authentication.