Hi Zoran, The syslog is running but not into a file. When I make necessary changes to the syslog.conf, syslog messages can show its events in the SP(like SU_login). But this is not what I want, the events like login_with_Administrative_privileges events didn't show up(like someone doing telnet & accessing as root). The only way I can do it is by using C2 audit. Doing the C2 audit is really a big hassle as there's another file to keep track on its size.
I already patched the system according to the article. Best regards, Kwan --- Zoran Hrvoic <[EMAIL PROTECTED]> wrote: > Hello, > > AFAIK, you can't run any UNIX ServerSensor without > syslog. > > From the Server Sensor Installation Guide > (RS_SvrSensor_IG_7.0.pdf): > "... for UNIX sensors, you must enable syslog > logging before any syslog > based > signatures can work (many non-network based > signatures rely > on the syslog)". > > You should also check the KB article #2902. > > Zoran > > ----- Original Message ----- > From: "Kwan Chee Kin" <[EMAIL PROTECTED]> > To: "Zoran Hrvoic" <[EMAIL PROTECTED]>; > <[email protected]> > Sent: Wednesday, March 16, 2005 3:20 PM > Subject: Re: [ISSForum] AIX Server Sensor Not > Working > > > Hi, > I'm not using any Syslog. > > Kwan > > --- Zoran Hrvoic <[EMAIL PROTECTED]> wrote: > > I had a similar issue few years ago with AIX OS > > Sensor. > > Then the problem was trivial: the syslog daemon > had > > been writing to the > > "/var/log/syslog.log" file, and the sensor > expected > > log in > > "/var/log/syslog". > > Check what is your syslog output file, and is it > the > > same file the sensor is > > expecting. > > > > Zoran > > > > > > ----- Original Message ----- > > From: "Kwan Chee Kin" <[EMAIL PROTECTED]> > > To: "Andres Riancho" <[EMAIL PROTECTED]>; > > <[email protected]> > > Sent: Saturday, March 12, 2005 10:24 AM > > Subject: Re: [ISSForum] AIX Server Sensor Not > > Working > > > > > > Hi, > > > > Yes, I did try with another policy. It still won't > > work. I did not install the network monitoring > > component so I don't think that will work, will > it? > > I'm trying to get the auditting part work. > > > > Thanks. > > > > Best regards, > > Kwan Chee Kin > > > > --- Andres Riancho <[EMAIL PROTECTED]> > wrote: > > > Have you tried with another policy ? Maybe you > > could > > > try to enable the event > > > HTTP_GET for testing. > > > > > > Cheers , > > > > > > Andres Riancho > > > > > > ----- Original Message ----- > > > From: "Kwan Chee Kin" <[EMAIL PROTECTED]> > > > To: <[email protected]> > > > Sent: Thursday, March 10, 2005 7:32 AM > > > Subject: [ISSForum] AIX Server Sensor Not > Working > > > > > > > > > > Hi, > > > > I installed RS Server Sensor 7 on both AIX and > > > > Windows. I got the Sensors on both platforms > > > > communicating to the Site Protector 5. I > applied > > > the > > > > default Attack_And_Audit_Policy into the > > Sensors. > > > Then > > > > I tried to test on the audit part of this > policy > > > by > > > > trying a brute force login to the Sensors. > > > > > > > > The Windows platform sensors shows me the > events > > > like > > > > I expected but the AIX did not even show > > anything. > > > > There is not even an event showing 'root' > access > > > to > > > > the system. > > > > > > > > I verified the Sensors is Active. Then I > > verified > > > that > > > > the enforce audit policy is turned on in each > > AIX > > > > sensors and the Auditing in OS for the policy > is > > > > checked. > > > > > > > > What could be the problem? Anyone bump into > such > > > > problem before? > > > > Will AIX sensors show me anything in the > events > > > like > > > > telnet login? > > > > Anyone knows any diagnostic tool I can check > > > whether > > > > the AIX sensor is working or not? > > > > > > > > Appreciate any comment. > > > > Thank you. > > > > > > > > Best regards, > > > > Kwan CK > > > > > > > > > > __________________________________________________ > > > > Do You Yahoo!? > > > > Tired of spam? Yahoo! Mail has the best spam > > > protection around > > > > http://mail.yahoo.com > > > > > _______________________________________________ > > > > ISSForum mailing list > > > > [email protected] > > > > > > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go > > to > > > > https://atla-mm1.iss.net/mailman/listinfo/issforum > > > > > > > > To contact the ISSForum Moderator, send email > to > > > [EMAIL PROTECTED] > > > > > > > > The ISSForum mailing list is hosted and > managed > > by > > > Internet Security > > > Systems, 6303 Barfield Road, Atlanta, Georgia, > USA > > > 30328. > > > > > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > http://mail.yahoo.com > > _______________________________________________ > > ISSForum mailing list > > [email protected] > > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > > https://atla-mm1.iss.net/mailman/listinfo/issforum > > > > To contact the ISSForum Moderator, send email to > > [EMAIL PROTECTED] > > > > The ISSForum mailing list is hosted and managed by > > Internet Security > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA > > 30328. > > > > > > > > __________________________________ > Do you Yahoo!? > Yahoo! Small Business - Try our new resources site! > http://smallbusiness.yahoo.com/resources/ > > === message truncated === __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
