Sorry for the delay; I was at Defcon and didn't dare log in to reply.
> How are the users connecting; ssh or telnet ? AFAIK on HP-UX SSH logins are
> recorded to syslog as PAM events.
They typically connect via various remote programs; however, there's
one particular application that requires a l
How are the users connecting; ssh or telnet ? AFAIK on HP-UX SSH logins are
recorded to syslog as PAM events.
--
Thanks, Phil
- Original Message -
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Aug 1, 2011, at 6:55 PM, Alisha Kloc wrote:
> > Unfortunately, we can't make any ch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Aug 1, 2011, at 6:55 PM, Alisha Kloc wrote:
> Unfortunately, we can't make any changes to the HP-UX system, which
> means no cron jobs, no clearing logs, etc. All we're allowed to touch
> is OSSEC agent stuff. Within that, I have some flexibility if
On Tue, 2 Aug 2011 08:08:58 -0700 (PDT), Alisha Kloc wrote:
If I could, that's exactly how I'd do it. Unfortunately, like I said,
we are not allowed to clear the logs on these systems - they have to
remain there locally. We can't do anything except read them.
Believe me, I'd love to be able to u
If I could, that's exactly how I'd do it. Unfortunately, like I said,
we are not allowed to clear the logs on these systems - they have to
remain there locally. We can't do anything except read them.
Believe me, I'd love to be able to use your suggestion, because it
would solve this whole issue ve
On 08/01/2011 05:55 PM, Alisha Kloc wrote:
Unfortunately, we can't make any changes to the HP-UX system, which
means no cron jobs, no clearing logs, etc. All we're allowed to touch
is OSSEC agent stuff. Within that, I have some flexibility if I use
the process monitor to call a simple shell scri
On Aug 1, 1:35 pm, Michael Starks
wrote:
>
> We probably didn't solve that in any elegant way. There was nothing
> like check_diff available in OSSEC at the time.
Huh. The reason it's a problem for us is because if we just spit last
to a syslog, we get new alerts on old logins (if user1 has logge
On Mon, 1 Aug 2011 12:54:24 -0700 (PDT), Alisha Kloc wrote:
Hi Michael,
Hmm, sounds a lot like what we're trying to do. How did you get
around
the fact that "last" spits out all entries in wtmp, not just newly-
added ones?
We probably didn't solve that in any elegant way. There was nothing
Hi Michael,
Hmm, sounds a lot like what we're trying to do. How did you get around
the fact that "last" spits out all entries in wtmp, not just newly-
added ones?
That's our biggest sticking point; wtmp gets very long very quickly
and we don't need old entries, just new ones since the last check.