Community:GatherHPUXAudits

From Splunk Wiki

Jump to: navigation, search

Splunk does not have an HP-UX software package. In order to satisfy our need to get the audit logs off of the HP-UX servers we build this script to output the audit configs.

First off you will need to update your "audevent" flags to capture what you want. Stay away from audevent -P -F, this is a lazy grab every syscall the system makes, it's extreamly noisy. Do you homework and find your comfort level.

Second you will need to setup you log directory proper permissions and and layout. We chose the /var/.audit/ directory to store our audit files.

We are using syslog-ng to transmit the data to our log server. The data flow is as follows.

  1. System writes audit events to a file.
  2. The audit file is changed hourly by a cron script, below
  3. Once the system is auditing to a new file the script uses the audit display tool
  4. The audit display tool pipes the ASCII output to a named pipe
  5. Syslog-ng is monitoring that named pipe and forwarding the data to splunk

HP-UX audits are binary files that require the "audisp" tool to view in ASCII so syslog-ng can't just tail the old audit files. We used syslog-ng rather than NFS mounts or secure copy scripts to place the ASCII output into Splunk.

Here are some general steps.


  • Make backup copies of:

/etc/syslog-ng.conf --> Do not backup it's should be linked to syslog-ng.conf.client

/etc/syslog-ng.conf.client

/root/bin/audit-log-rotate.sh


  • Copy syslog-ng.conf.client

into /etc/

  • Symbolic Link syslog-ng.conf.client to syslog-ng.conf
ln -s syslog-ng.conf.client syslog-ng.conf


  • Make a named pipe in /var/.audit/
mkfifo ./log_data
  • Start/Restart syslog-ng
/sbin/init.d/syslog-ng restart
  • Update the audit flags in real time
audevent ''your flags''
  • Update /etc/rc.config.d/auditing with these flags
AUDEVENT_ARGS1="''your flags''"
  • Copy audit-log-rotate.sh into /root/bin/
  • Update crontab

XX - should be the minute of every hour this script will execute. Please offset as to not kill splunk.

xx * * * * ( /root/bin/audit-log-rotate.sh 2>&1 | /usr/bin/mailx -s "Audit logs rotated and compressed on '/usr/bin/uname -u'" root@localhost )

The actual script we use on our HP-UX 11.23 servers.
This may not work in all situations! Be careful! You have been warned!
Things you can tune in script. $LOGROLL in audit-log-rotate.sh can be reduced to remove logs from disk sooner


#!/bin/sh
HOST=`uname -n`
#DATE=`date +'%m%d.%H%M'`
NOW=$(date +"%Y-%m-%d-%H:%M")

FIND=/usr/bin/find
LOGDIR=/var/.audit
# Remove local log copy after this many days
ROLLTIME=7 

#
# switch the audit files
#
PRI=${NOW}.${HOST}.audtrail-pri
#ALT=${NOW}.${HOST}.audtrail-sec

#
# rotate the logs to this new file
#
audsys -c ${LOGDIR}/${PRI} -s 4096\
 -x ${LOGDIR}/${PRI} -z 4096
 
#
# remove empty logs
# find all files with no size in bytes, except for the new log files then remove
cd $LOGDIR
find . -type f -size 0c |grep -Ev "$PRI" |xargs rm

#
# remove files that are not audtrails
# file all files (types) that do not contain audtrail and then remove them
find . -type f ! -name "*audtrail*" | xargs rm

#
# Export audits into syslog
#
# find all files that are not compressed, 
# and not our current logs,
# audisp them to a named pipe, 


find . -type f ! -name "*.Z" |grep -Ev "$PRI" | xargs /usr/sbin/audisp > /var/.audit/log_data


#
# Compress logs
# Find files that don't have .Z ending and are not the current logs
find . -type f ! -name "*.Z" |grep -Ev "$PRI" |xargs compress

#
# Delete old logs
# Find files that have not been modifed in 14 days,
# Ensure our current logs are not part of that list,
# Remove them
#find . -type f -mtime $ROLLTIME |grep -Ev "$PRI" |xargs rm

if [ $? != 0 ]
then
exit 1
fi


Jasonnadeau 12:26, 24 July 2009 (PDT)

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk