On Mon, 2 Jul 2001 12:32:27 -0400, Steve Murphy
<[log in to unmask]> wrote:
>I know there are several system log file scanners available. I am looking
>for one to satisfy our internal auditors. We would like to scan the system
>log file for invalid login attempts, bad passwords, all logins to Telesup,
>etc. If we could then get this report emailed to our site admins, this
>would be great. I have Jobrescue and Electropage and have thought about
>using them.
>
>Any Idea's are welcome.
I suppose this can qualify as a <plug> since it is for a commercial product
[although I no longer work for them]:
VEsoft's VEAUDIT package has some logfile reporting capability when coupled
with MPEX [actually, I think there is a way to do it "standalone", but most
likely you'll have MPEX if you have VEAUDIT... ;) ]
Here is a sample job that does basically what you want [report bad logons
via e-mail] however this is reporting errors generated specifically by
Security/3000 (we're not logging logon events since these are logged by
Security/3000 in it's own log file, however see below for a corresponding
VEAUDIT LISTLOG CONSOLE, which does show the console messages which can
include logon errors...)
-----
!job SECMONTR,manager.sys,pub;outclass=,1
::SETVAR YESTERDAY STRWRITE(TODAY-1:'MM/DD/YY')
!mpex
%nomsg purge badlogns
%sec listlog opviolation and date={yesterday} >badlogns
%save badlogns
insendfl.cmd BADLOGNS,[log in to unmask],&
"Security violations for today",[log in to unmask]
%exit
!eoj
-----
"insendfl" is a command file I've built that takes parameters as follows:
H:[TOM]/EMERSON/WORK>insendfl
Usage:
INSENDFL [file-to-send], recipient@address, [subject], [sender], [sender's
alias], [reply-to]
and a sample of the output:
VESOFT SECURITY/3000 LOG FILE PAGE 1
SYSTEM HERON SECMONTR,MANAGER.SYS,PUB MON, JUL 2, 2001, 7:00 AM
TYPE : DATE TIME DEV LOGON TARGET USER/VIOLATN
TYPE
Violat: 1JUL01 7:46AM 193 TINAT,SL.CCV BAD PASSWORD
Violat: 1JUL01 3:48PM 185 ANNM,SL.CCV BAD PASSWORD
Violat: 1JUL01 3:49PM 185 ANNM,SL.CCV BAD PASSWORD
Violat: 1JUL01 3:49PM 185 ANNM,SL.CCV BAD PASSWORD
[note: this is three attempts during the same logon -- tom]
A corresponding VEAUDIT LISTLOG CONSOLE, limited to "security" related
messages looks like this:
H:[TOM]/EMERSON/WORK>veaudit listlog console @.@;search=(issecmessage)
%LISTLOG CONSOLE @.@;search=(issecmessage) PAGE
1
SYSTEM HERON TOM.EMERSON,WORK MON, JUL 2, 2001, 10:00
AM
--DATE-- -TIME- -JOBID- MESSAGE
01/06/30 8:01a #S55 FROM/SL.CCV/VESOFT SECURITY: BAD PASSWORD on LDEV
196
01/07/01 1:43p MISSING ACCOUNT NAME FOR "CINDY,MANAGER.DE30000,"
ON LD
EV #185. (js 10)
01/07/01 3:49p #S162 FROM/SL.CCV/VESOFT SECURITY: BAD PASSWORD on LDEV
185
01/07/02 12:10a #S185 FROM/MANAGER.DE3000/VESOFT SECURITY: BAD PASSWORD
on LD
EV 202
01/07/02 6:40a MISSING ACCOUNT NAME FOR "ROXZB,CS.CCB," ON LDEV
#199.
(js 10)
01/07/02 6:40a MISSING ACCOUNT NAME FOR "ROXZB.CS,CCV" ON LDEV
#199. (
js 10)
01/07/02 8:01a #S230 FROM/SL.CCV/VESOFT SECURITY: BAD PASSWORD on LDEV
228
01/07/02 8:30a #S240 FROM/MGR.CCV/VESOFT SECURITY: TIMEOUT ON PASSWORD
on LD
EV 279
01/07/02 9:21a #S248 FROM/SL.CCV/VESOFT SECURITY: BAD PASSWORD on LDEV
291
As you can see, even just the "console" messages report can show a good
deal of information regarding failed logon attempts.
Tom
(oh, yeah, </plug>]
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|