Versions Compared

Old Version 3

changes.mady.by.user KS

Saved on

compared with

New Version 4

changes.mady.by.user Dinesh Murugaiyan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Property

Default Value

Description

Protocol                      

UDP

The default protocol for syslog.

The collector can also accept logs in TCP.

Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the  Accenture Security Onboarding team.

IP  Address

Unix OS Interface IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security Onboarding team.

Signatures    

ipmon, audispd:, named, httpd:, login:,

dhclient, sshd, su, LOGIN, pam_unix,

xinetd, kernel, useradd, adduser, userdel,

gdm, rpc.statd, usermod, init:, reboot:,

ftpd, last message repeated, shutdown:,

Firewall[, passwd, shadow, in.telnetd, audit:,

SuSEfirewall2:, auditd, gnome-keyring-daemon,

vsftpd:, chage, groupdel, groupadd, vsftpd[, , login[,

groupmod, unix_chkpwd, chpasswd,

gdm-session-worker

Accenture Security recommended signatures processed by the Unix event collector.

Port Number    

514

The default port for UDP. For TCP, the default port is 601.

Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security Onboarding team if this is a requirement.

 

Sample Logs

RHEL Linux

Sep 27 18:15:10 192.0.2.1 sshd[8406]: Failed password for root from ::ffff:192.0.2.2 port 3162 ssh2 

SUSE Linux

Dec 18 21:10:47 Test sshd[10067]: Accepted keyboard-interactive/pam for root from 192.0.2.2 port 58996 ssh2 

AIX

May 26 14:35:34 Test ftpd[491726]: connection from ::ffff:192.0.2.1 at Fri May 26 14:35:34 2006 

Solaris

Aug 11 11:43:02 Test su: [ID 366847 auth.notice] 'su root' succeeded for matt on /dev/pts/2 

ISC BIND

9 Apr 7 13:45:27 Test named[8186]: 07-Apr-2009 13:45:27.191 queries: info: client 192.0.2.1#39588: query: Domain.com IN A + 

Debian

May 20 05:09:20 Test sshd[29765]: Accepted password for root from 192.0.2.1 port 53170 ssh2

Oracle Linux

Mar 14 07:55:33 Test kernel: IPT: New OutBound: IN= OUT=eth0 SRC=192.0.2.1 DST=192.0.2.5 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=38606 PROTO=UDP SPT=44852 DPT=33434 LEN=40

Ubuntu Linux

Apr 14 03:35:13 Test sshd[13359]: Received disconnect from 192.0.2.24: disconnected by user

HP-UX

Jun 2 18:28:50 Test ftpd[5589]: FTP LOGIN FROM <FQDN> 192.0.2.5, root Linux IPTables Apr 8 13:26:57 Test kernel: IPT: New Forwarded Conn: IN=br0 OUT=br1 PHYSIN=eth0 SRC=198.51.100.5 DST=64.34.180.101 LEN=76 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56 

Auditd

Mar 18 19:01:01 Test audispd: node=<FQDN> type=USER_START msg=audit(1237417261.745:3029): user pid=3936 uid=0 auid=0 ses=376 subj=system_u:system _r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe=2F7573722F7362696E2F63726F6E64202864656C6574656429 (hostname=?, addr=?, terminal=cron res= success)'