Scribd
Upload
1K views

EnVision Linux Log Shipping

Uploaded by

Florida Surf
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
1K views

EnVision Linux Log Shipping

Uploaded by

Florida Surf
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Linux RSA enVision Event Source Configuration Instructions and Release Notes

Last Modified: Monday, November 30, 2009 Event Source (Device) Product Information Vendor Event Source (Device) Supported Versions Redhat, Novell, Debian Linux Red Hat Enterprise Linux 3.x, 4.x, and 5.x Novell SuSE Linux Enterprise 9, 10, 10.2 Debian GNU/Linux 3.1 & 4.0 enVision Product Information 3.5.1 and higher rhlinux, 27 Syslog Host.UNIX NIC Collector Service

Version Event Source (Device) Type Collection Method Event Source (Device) Class.Subclass Service

This document contains the following information for the Linux event source:
q

Configuration Instructions Release Notes 20091125-130024 Release Notes 20091030-104516 Release Notes 20090827-162613 Release Notes 20090730-084003 Release Notes 20090626-073053 Release Notes 20090528-193449 Release Notes 20090504-151043 Release Notes 20090326-162742

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 1 of 17

Release Notes 20090213-220350 Release Notes 20090105-081830 Release Notes 20081216-094150 Release Notes 20081113-094639 Release Notes 20080905-162314

Linux Configuration Instructions


The configuration instructions are broken down by your Linux vendor:
q q

Novell SuSE Linux Configuration Instructions All Other Linux Configuration Instructions

Also, to configure AuditD, see Configure AuditDon Red Hat Linux.

Novell SuSE 10.2 Configuration Instructions


You can use either UDP or TCP. Select the instructions that match the protocol you are using.

UDP
To configure SuSELinux using UDP: 1. On the Linux machine, log on as root. 2. Open /etc/syslog-ng/syslog-ng.conf.in for editing. 3. Add the following text at the end of the file:
# send everything to log host destination loghost { udp("xxx.xxx.xxx.xxx" port(yy)); }; log { source(src); destination(loghost); };

Where xxx.xxx.xxx.xxx is the IP address of the enVision appliance, and yy is the port number that enVision is listening on for incoming syslog messages. 4. Run the following commands:
SuSEconfig --module syslog-ng /etc/init.d/syslog start

TCP
Configuring TCP involves two steps:
q q

Configure enVision to accept Syslog in TCPpackets. Configure SuSE Linux to send Syslog in TCPpackets.

To configure enVision to accept Syslog in TCPpackets:

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 2 of 17

1. Log onto enVision. 2. Select Overview > System Configuration > Services > Manage Collector Service. 3. Click on the name of your Site/Node displayed on the right window. 4. Expand the arrow at the end of the TCP Information line. 5. Enter the port number on which enVision will listen for TCP packets. 6. Click Add. 7. Enter the IP address of your SuSE device. 8. Click Apply. 9. Click Apply. To configure SuSE Linux 10.2 to send Syslog in TCPpackets: 1. On the Linux machine, log on as root. 2. Open /etc/syslog-ng/syslog-ng.conf.in for editing. 3. Add the following text at the end of the file:
# send everything to log host destination loghost { tcp("xxx.xxx.xxx.xxx" port(yy)); }; log { source(src); destination(loghost); };

Where xxx.xxx.xxx.xxx is the IP address of the enVision appliance, and yy is the port number that enVision is listening on for incoming syslog messages. 4. Run the following commands:
SuSEconfig --module syslog-ng /etc/init.d/syslog start

All Other Linux Configuration Instructions


To configure Linux: 1. On the Linux machine, open the /etc/ syslog.conf file in a text editor. 2. Add the following line, where xxx.xxx.xxx.xxx is the address for the enVision Collector appliance:
*.debug @xxx.xxx.xxx.xxx

Note: Changing this line causes the device to log all messages of debug level and higher to the syslog server. 3. Save the file, and close the text editor. 4. Restart the syslog service. One method to do this is via the console with the following command: service syslog restart

Configure AuditDon Red Hat Linux


For Red Hat Linux, you must configure AuditD. To configure AuditD for Red Hat version 4 and earlier:
Event Source Update 2009 RSA Security Inc. All rights reserved

Page 3 of 17

1. Edit /etc/init.d/auditd and comment out the following lines.


q

Change line 58. Before: daemon $prog "$EXTRAOPTIONS" After: #daemon $prog "$EXTRAOPTIONS" Change line 71. Before: killproc $prog After: #killproc $prog

2. Restart the auditd service. To configure AuditD for Red Hat version 5 and above: The auditd package includes a service dispatcher to syslog audit events. Install the package audispd-plugins. This creates a sample syslog config file located in /etc/audispd/plugins.d. Enable that method and restart the auditd service to log messages directly to syslog. 1. Install audispd-plugins. 2. Change the dispatcher attribute in /etc/audit/auditd.conf to /sbin/audispd. 3. Verify in /etc/syslog.conf that all logs are directed to the enVision appliance.

Linux Release Notes (20091125-130024) New and Changed Event Messages in Linux
For complete details on new and changed messages, see the Event Source Update Help.

Linux Release Notes (20091030-104516) What's New in This Release


RSAhas updated the list of supported versions of Red Hat Linux for this release.

New and Changed Event Messages in Linux


For complete details on new and changed messages, see the Event Source Update Help.

Linux Release Notes (20090827-162613) What's New in This Release


RSAhas updated the Configuration Instructions for this release.

New and Changed Event Messages in Linux


For complete details on new and changed messages, see the Event Source Update Help.

Linux Release Notes (20090730-084003)


Event Source Update 2009 RSA Security Inc. All rights reserved Page 4 of 17

New and Changed Event Messages in Linux


For complete details on new and changed messages, see the Event Source Update Help.

Linux Release Notes (20090626-073053) What's New in This Release


RSA updated support to version 10.2 for SuSE Linux. The configuration instructions were updated accordingly.

New and Changed Event Messages in Linux


The following new and updated messages have been incorporated into the event source message definitions for Linux. For complete details on new and changed messages, see the Event Source Update Help. Status NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW NEW ID1 00041:02 03769 03765 00046:04 00046:05 00046:06 03767 03768 03766 100000:01 100000:02 100000:03 100000:04 100000:05 100000:06 100000:07 100000:08 100000:09 100000:10 100000:11 100000:12 100000:13 100000:14 100000:15 100002:01 100002:02 100002:03 100003:01 100003:02 100003:03 100004 ID2 chage remshd ssarembock useradd useradd useradd wbem bap cimservera shadow shadow shadow shadow shadow shadow shadow shadow shadow shadow shadow shadow shadow shadow shadow ifup-dhcp ifup-dhcp ifup-dhcp ifstatus-dhcp ifstatus-dhcp ifstatus-dhcp ifstatus-route Event Category ID 1402040100 1605000000 1401000000 1402020200 1402010301 1605000000 1401000000 1605000000 1605000000 1402010200 1402010301 1402010302 1402010100 1402010301 1402010302 1402010300 1402000000 1605000000 1402020100 1402010300 1402020300 1605000000 1402010200 1402000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 Event Category Name User.Management.Password.Modification System.Normal Conditions User.Activity User.Management.Users.Additions User.Management.Groups.Modifications.User Added System.Normal Conditions User.Activity System.Normal Conditions System.Normal Conditions User.Management.Groups.Additions User.Management.Groups.Modifications.User Added User.Management.Groups.Modifications.User Removed User.Management.Groups.Deletions User.Management.Groups.Modifications.User Added User.Management.Groups.Modifications.User Removed User.Management.Groups.Modifications User.Management System.Normal Conditions User.Management.Users.Deletions User.Management.Groups.Modifications User.Management.Users.Modifications System.Normal Conditions User.Management.Groups.Additions User.Management System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 5 of 17

Status NEW NEW NEW NEW NEW NEW UPDATED UPDATED UPDATED REMOVED REMOVED

ID1 100005 100006 100007 100008:01 100008:02 100009 00020:03 00020:19 00020:18 00818 03487

ID2 PAM-devperm ifprobe checkproc suse_register suse_register SAPinit sshd sshd sshd Audit System

Event Category ID 1603090000 1701000000 1603000000 1605020000 1605020000 1605000000 1401030000 1301000000 1401060000 1605010000 1605000000

Event Category Name System.Errors.Resources Config.Changes System.Errors System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions User.Activity.Failed Logins Auth.Failures User.Activity.Successful Logins System.Normal Conditions.Daemons System.Normal Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 6 of 17

Linux Release Notes (20090528-193449) New Event Messages in Linux


The following new messages have been incorporated into the event source message definitions for Linux. ID1 03762 03762:01 03763 03763:01 03764 03764:01 01106 ID2 co.sapS01_DVEBMGS00 co.sapS01_DVEBMGS00 dw.sapS01_DVEBMGS00 dw.sapS01_DVEBMGS00 dw.sapS01_D00 dw.sapS01_D00 gdm-rh-security-token-helper Event Category ID 1801000000 1801000000 1801000000 1801000000 1801000000 1801000000 1605000000 Event Category Name Network.Connections Network.Connections Network.Connections Network.Connections Network.Connections Network.Connections System.Normal Conditions

Linux Release Notes (20090504-151043) New Event Messages in Linux


The following messages have been incorporated into the event source message definitions for Linux. ID1 01024:02 03708 03709 03754 03755 03756 03757 03681 01305 01304 01306 01066:01 03758 01300 01301 03699 00283:04 00283:02 00283:03 01307 01302 01303 03682 03684 03707 ID2 at (ntlm_auth) (sf_userinfo) hpmgmtbase hpseld init.crs jboss9 webasd queue MAIL MU pam_console_apply pbksh5.1.2-06 runmappers SAPSMD_98 ServeRAID SUDO SUDO SUDO User appqcime rhnmd clvmd aws_sadmin AXA_LAST Event Category ID 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605010000 1607000000 1207000000 1301000000 1605000000 1605000000 1607000000 1603110000 1605000000 1401050100 1401050100 1401050100 1301000000 1610000000 1610000000 1605000000 1605000000 1401050100 Event Category Name System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions.Daemons System.Unusual Activity Content.Email Auth.Failures System.Normal Conditions System.Normal Conditions System.Unusual Activity System.Errors.Services System.Normal Conditions User.Activity.Privileged Use.Successful User.Activity.Privileged Use.Successful User.Activity.Privileged Use.Successful Auth.Failures System.Startup System.Startup System.Normal Conditions System.Normal Conditions User.Activity.Privileged Use.Successful

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 7 of 17

ID1 03686 03688 03689 03690 03691 03692 03693 03694 03695 03696 03697 03698 03700 03701 03702 03703 03706 03704 03705 03710 03683 03685 03711 03712 03713 03714 03715 03716 03717 03718 03719 03720 03721 03722 03723 03724 03725 03726 03727 03728 03729 03730 03731 03732 03733 03734

ID2 txdjrb atsmje8 LifeKeeper menush susanm pcusiman xenstored multipathd BLKTAPCTRL IBMtaped logrdr caiopr selogrd scsi_reserve libvirtd ATC_ASD_Query_Manager.exe casrvc dnsmasq etrust-ac(pam_unix) IBM richf netstat ConnectionManagerd wg_config ocmp.primary cimserverd ocmp.logger hpocnettl ocmp ocmpcluster ocmp.mgmtserver shcschedulerd nettl hpocmp-spawner hpocmp-clustermgt cmlocklund ocmp.secondary ocmp.spawner ocmp.clustermgr hpocsnmptrapd oclicsd ocmpadm locklund cmp.clustermgr cmp.spawner cmp.primary

Event Category ID 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000

Event Category Name System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 8 of 17

ID1 03735 03736 03737 03738 03739 03740 03741 03742 03743 03744 03745 03746 03747 03748 03749 03750 03751 03752 03753 03759 03760 03761

ID2 cmp.logger M-jboss2 pbrun5.1.2-06 pblocald5.1.2-06 cmruncl cmhaltserv cmsrvassistd CM-jboss2 cmrunserv cmlockd cmnetd cmdisklockd CM-jboss1 kdump pbmasterd5.1.2-06 pblogd5.1.2-06 pam_access cmhaltcl bpjava-msvc gillmerr pipesa vasd

Event Category ID 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000

Event Category Name System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 9 of 17

Linux Release Notes (20090326-162742) New Event Messages in Linux


The following messages have been incorporated into the event source message definitions for Linux. ID1 00966:01 00967:01 03661 03662 03663 03664 03665 03666 03667 03668 03669 03670 03671 03672 03673 00926:03 00926:04 03658 03659 03660 03674 03675 03676 03677 03678 03679 03680 ID2 inbound-mta/cleanup inbound-mta/smtpd PAR outbound-mta/smtpd delivery-mta/smtpd delivery-mta/smtp outbound-mta/cleanup outbound-mta/qmgr delivery-mta/cleanup delivery-mta/qmgr outbound-mta/smtp outbound-mta/anvil inbound-mta/qmgr inbound-mta/smtp inbound-mta/anvil stunnel stunnel dsm_om_connsvc32d omauth rpcsvcgssd iw.rules iw.server iwod60 iwaccess iwodadmin webserver01 hpasmlited Event Category ID 1603000000 1603000000 1605000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1605010000 1605010000 1605010000 1605010000 1605010000 1605010000 1605000000 Event Category Name System.Errors System.Errors System.Normal Conditions System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions

Linux Release Notes (20090213-220350) New Event Messages in Linux


The following messages have been incorporated into the event source message definitions for Linux. ID1 03437 03437 03627 03628 03628:01 ID2 NORIDIAN-ACM-CUSTOM NORIDIAN-ACM-CUSTOM BKG SYS SYS Event Category ID 1605000000 1605000000 1301000000 1605000000 1605000000 Event Category Name System.Normal Conditions System.Normal Conditions Auth.Failures System.Normal Conditions System.Normal Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 10 of 17

ID1 03629 03630 03628:02 03631 03628:03 03632 03628:04 03628:05 03633 03634 03635 03636 03637 03638 03639 03640 03641 03642 03643 03644 03645 03646 03647 03648 03649 03650 03651 03652 03653 03654 03655 03656 03657

ID2 3909 adm SYS seosd SYS genunix SYS SYS Use rootnex Rev. pcipsy ebus hme seoswd sepmdpull Subscriber seload Starting pseudo uxwdog qla2300 pci_pci ip-msgd /usr/lib/nfs/nfsd ake_sec_data_conf coda ip-rmtd sws.efshttpd tictimed vxdmp vshelld cgi_pam

Event Category ID 1605000000 1602020000 1605020000 1602020000 1605000000 1605000000 1605020000 1605020000 1608000000 1605000000 1608000000 1603010000 1605000000 1605000000 1001030000 1401000000 1608000000 1001030000 1608000000 1603010000 1603110000 1603010000 1603010000 1603010000 1803020000 1608000000 1603010100 1605000000 1605000000 1605000000 1605000000 1605000000 1301020000

Event Category Name System.Normal Conditions System.Accounting.Errors System.Normal Conditions.Services System.Accounting.Errors System.Normal Conditions System.Normal Conditions System.Normal Conditions.Services System.Normal Conditions.Services System.License System.Normal Conditions System.License System.Errors.Hardware System.Normal Conditions System.Normal Conditions Attacks.Access.Informational User.Activity System.License Attacks.Access.Informational System.License System.Errors.Hardware System.Errors.Services System.Errors.Hardware System.Errors.Hardware System.Errors.Hardware Network.Denied Connections.Protocol System.License System.Errors.Hardware.Disk System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions Auth.Failures.User Errors

Linux Release Notes (20090105-081830) New Event Messages in Linux


The following messages have been incorporated into the event source message definitions for Linux. ID1 00021:35 02553:02 03600 03601 03603 03604 ID2 su pyseekd make_sec_data_conf DomSX ubroker qip-netd Event Category ID 1301000000 1603000000 1605000000 1605000000 1605000000 1605000000 Event Category Name Auth.Failures System.Errors System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 11 of 17

ID1 03605 03606 03607 03608 03609 03610 03612 03613 03614 03615 03616 03617 03618 03619 03620 03621 03622 03623 03624 03625 03626

ID2 qip-rmtd qip-msgd qip-ssltd /var/opt/universal/log ldirectord jk_chrootsh lpr vland rhdb tomcat4 bb afasnmpd BackupExpressNibbler liftmachine ultraseek jembossctl atalk qpage atalkd Administrator OTRS-GenericAgent-10

Event Category ID 1605000000 1605000000 1605000000 1605010000 1605000000 1605000000 1605000000 1603000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000

Event Category Name System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal Conditions.Daemons System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Errors System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions

Linux Release Notes (20081216-094150) New Event Messages in Linux


The following messages have been incorporated into the event source message definitions for Linux. ID1 00020:03 00020:13 00021:30 00021:31 00021:32 00021:33 00021:34 00041:02 00062:02 00062:04 00630:02 00630:03 00720:03 00836:01 00841:10 00899:04 01315:01 02543:04 sshd sshd su su su su su chage PAM_pwdb PAM_pwdb imapd-ssl imapd-ssl AcsWeb adl_session boks_sshd pgp/admin gdmgreeter ssh-mgmt-agent ID2 Event Category ID 1401030000 1801020000 1801000000 1801000000 1801000000 1301000000 1801000000 1603000000 1605000000 1603000000 1801000000 1801000000 1603000000 1603000000 1603000000 1603000000 1603000000 1605000000 Event Category Name User.Activity.Failed Logins Network.Connections Network.Connections Network.Connections Network.Connections Auth.Failures Network.Connections System.Errors System.Normal Conditions System.Errors Network.Connections Network.Connections System.Errors System.Errors System.Errors System.Errors System.Errors System.Normal Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 12 of 17

ID1 02543:05 02543:06 02543:07 02543:08 02781:01 03466:01 03466:02 03466:03 03466:04 03466:05 03466:06 03466:07 03466:08 03466:09 03466:10 03478:01 03496:01 03496:02 03503:01 03510:01 03510:02 03510:03 03512:01 03512:02 03512:03 03521:01 03521:02 03521:03 03525:01 03525:02 03525:03 1039 1219 1248 1252 1258 1260 1282 1283 20 2566 2769 2770 2771 2772 2773 2774

ID2 ssh-mgmt-agent ssh-mgmt-agent ssh-mgmt-agent ssh-mgmt-agent mydns sm_serviced sm_serviced sm_serviced sm_serviced sm_serviced sm_serviced sm_serviced sm_serviced sm_serviced sm_serviced sysconfig pamauth pamauth uvservd cpwmd cpwmd cpwmd ssh-mgmt-engine ssh-mgmt-engine ssh-mgmt-engine nas nas nas saned saned saned kcheckpass imap(pam_unix) mgd Central ftp(pam_unix) passwd(pam_unix) : KERN_ARP_ADDR_CHANGE sshd tcsh salinfod %ORACLE-1-116 %ORACLE-1-3 %ORACLE-1-7 %ORACLE-1-2 %ORACLE-1-50

Event Category ID 1801010000 1801000000 1603000000 1605000000 1605010000 1605000000 1603110000 1603110000 1603050000 1605020000 1605020000 1605020000 1605020000 1605020000 1605000000 1605030000 1605010000 1605010000 1605010000 1303000000 1303000000 1302000000 1605000000 1801010000 1613040200 1401010000 1401010000 1605000000 1603000000 1605000000 1605000000 1301020000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1603000000 1401030000 1605000000 1605010000 1605020000 1605020000 1605020000 1605020000 1605020000

Event Category Name Network.Connections Network.Connections System.Errors System.Normal Conditions System.Normal Conditions.Daemons System.Normal Conditions System.Errors.Services System.Errors.Services System.Errors.Command Failures System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions System.Normal Conditions.Config System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons Auth.Errors Auth.Errors Auth.Successful System.Normal Conditions Network.Connections System.Crypto.Key.Manipulation User.Activity.File Access User.Activity.File Access System.Normal Conditions System.Errors System.Normal Conditions System.Normal Conditions Auth.Failures.User Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors System.Errors User.Activity.Failed Logins System.Normal Conditions System.Normal Conditions.Daemons System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions.Services

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 13 of 17

ID1 2775 2776 2777 2778 2779 2780 2781 2782 2783 2784 2785 3411 3412 3413 3414 3416 3417 3419 3420 3421 3423 3424 3425 3426 3427 3428 3429 3430 3431 3432 3433 3434 3435 3436 3437 3438 3439 3440 3441 3442 3443 3444 3445 3446 3447 3448

ID2 %ORACLE-1-ALTER %ORACLE-1-100 %ORACLE-1-101 resin ACESERVER6.1 samhain mydns iwssd OVODATA VASDATA SERDATA mgd mgd mgd mgd mgd mgd rpd EPM.Upgrade EPM.Upgrade DM DM NM nl tftpd DOSProt cm.sys netTool.sntp HAL.Card HAL.Sys vlan.msgs vlan.msgs NORIDIAN-ACM-CUSTOM NORIDIAN-ACM-CUSTOM NORIDIAN-ACM-CUSTOM archived auditd bootvpnt ccsd ciscosec csaadapt csaadapt csaadapt csaadapt csaadapt cyrus-imapd

Event Category ID 1605020000 1605020000 1605020000 1605010000 1605010000 1605010000 1801010000 1605010000 1605000000 1605000000 1605000000 1302000000 1401060000 1401070000 1605000000 1605000000 1605000000 1605000000 1802000000 1802000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1603000000 1801010000 1605000000 1605000000 1801020000 1801030000 1605000000 1605000000 1605000000 1605000000 1603000000 1605000000 1605000000 1605000000 1605000000 1603000000 1603000000 1603000000 1605000000 1605000000

Event Category Name System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions.Services System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons Network.Connections System.Normal Conditions.Daemons System.Normal Conditions System.Normal Conditions System.Normal Conditions Auth.Successful User.Activity.Successful Logins User.Activity.Logoff System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions Network.Connections Network.Connections System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Errors Network.Connections System.Normal Conditions System.Normal Conditions Network.Connections Network.Connections System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Errors System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Errors System.Errors System.Errors System.Normal Conditions System.Normal Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 14 of 17

ID1 3449 3450 3451 3452 3453 3454 3455 3456 3457 3458 3459 3460 3461 3462 3463 3464 3465 3466 3475 3476 3477 3478 3479 3480 3481 3482 3483 3484 3486 3487 3488 3489 3490 3491 3492 3494 3495 3496 3497 3498 3499 3500 3501 3502 3503 3504

ID2 dmctl exim exim exim ftp gfs imaps lock_gulmd lock_gulmd_LT000 lock_gulmd_LTPX lock_gulmd_core lpstat pool pop3s s3500.boot sm_adapter sm_adapter sm_serviced snapshot splx_splxmain sxfftpd sysconfig truecontrol tsm nss_ldap nss_ldap nss_ldap DM exim System pam_ldap sxfftpd sxfftpd btmp wtmp arprobe SnareDispatchHelper pamauth SnareDispatcher BESClient-6.0.29.06 HMC l2tpd /etc/ppp/ip-up.d/freeswan SQLAnywhere(ssh-mgmt) uvservd cacao_suexec

Event Category ID 1603000000 1301020000 1605000000 1605000000 1803030000 1605000000 1301020000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 1603000000 1605000000 1605000000 1605000000 1605000000 1603000000 1801020000 1701010000 1605000000 1605000000 1801000000 1801000000 1801000000 1605000000 1603000000 1605000000 1301000000 1801000000 1801000000 1603000000 1603000000 1605010000 1603110000 1301000000 1605010000 1605010000 1605010000 1605000000 1605000000 1605010000 1605010000 1605010000

Event Category Name System.Errors Auth.Failures.User Errors System.Normal Conditions System.Normal Conditions Network.Connections System.Normal Conditions Auth.Failures.User Errors System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Errors System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Normal Conditions System.Errors Network.Connections Config.Changes.Add System.Normal Conditions System.Normal Conditions Network.Connections Network.Connections Network.Connections System.Normal Conditions System.Errors System.Normal Conditions Auth.Failures Network.Connections Network.Connections System.Errors System.Errors System.Normal Conditions.Daemons System.Errors.Services Auth.Failures System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions System.Normal Conditions System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 15 of 17

ID1 3505 3506 3507 3508 3509 3510 3511 3512 3513 3514 3515 3516 3518 3520 3521 3523 3524 3525

ID2 cpwebui /etc/ppp/ip-down.d/freeswan WAS5_Agent slapcat %REDHAT3_AUDITLOG-4 cpwmd smcconsole ssh-mgmt-engine SQLAnywhere(nb_artemi-pc) nbSendEmailReport nbCaptureAudioClip nbAlertMgr rpc.idmapd kooka nas scanimage xsane saned

Event Category ID 1401050200 1605000000 1605000000 1703000000 1605010000 1301000000 1302000000 1605000000 1605010000 1605010000 1605010000 1605010000 1401010000 1603000000 1401010000 1603000000 1603000000 1603000000

Event Category Name User.Activity.Privileged Use.Denied System.Normal Conditions System.Normal Conditions Config.Errors System.Normal Conditions.Daemons Auth.Failures Auth.Successful System.Normal Conditions System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons System.Normal Conditions.Daemons User.Activity.File Access System.Errors User.Activity.File Access System.Errors System.Errors System.Errors

Linux Release Notes (20081113-094639) New Event Messages in Linux


The following messages have been incorporated into the event source message definitions for Linux. ID1 02740 02742 02743 02744 02745 02746 02747 02746:01 02747:01 02748 02746:02 02749 02750 02751 02752 02753 02754 02755 02756 02757 02758 ID2 LAST10 pam_timestamp_check gateconex IPOSipgw IPOSgw hcd i2c-piix4.o hcd i2c-piix4.o reset. hcd i2c-core.o i2c-proc.o dmi_scan.o Found w83781d.o tolah calltech mmilbour onq mscholes Event Category ID 1605000000 1605000000 1605000000 1605000000 1605000000 1605020000 1601000000 1611000000 1601000000 1605000000 1610000000 1605000000 1605000000 1605000000 1605010000 1605000000 1605000000 1605000000 1605000000 1605000000 1605000000 Event Category Name System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions.Services System.Failures System.Shutdown System.Failures System.Normal.Conditions System.Startup System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal Conditions.Daemons System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 16 of 17

ID1 02759 02760 02761 02762 dhenders dcarswel gstaffor mcarbone

ID2

Event Category ID 1605000000 1605000000 1605000000 1605000000

Event Category Name System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions System.Normal.Conditions

Linux Release Notes (20080905-162314) Whats New in this Release


RSA fixed known issues that existed in enVision's support of the Linux event source.

Event Source Update

2009 RSA Security Inc. All rights reserved

Page 17 of 17

You might also like