On Mon, 2 Jul 2001 12:32:27 -0400, Steve Murphy
<[log in to unmask]> wrote:

>I know there are several system log file scanners available.  I am looking
>for one to satisfy our internal auditors.  We would like to scan the system
>log file for invalid login attempts, bad passwords, all logins to Telesup,
>etc.  If we could then get this report emailed to our site admins, this
>would be great.  I have Jobrescue and Electropage and have thought about
>using them.
>
>Any Idea's are welcome.

I suppose this can qualify as a <plug> since it is for a commercial product
[although I no longer work for them]:

VEsoft's VEAUDIT package has some logfile reporting capability when coupled
with MPEX [actually, I think there is a way to do it "standalone", but most
likely you'll have MPEX if you have VEAUDIT... ;) ]

Here is a sample job that does basically what you want [report bad logons
via e-mail] however this is reporting errors generated specifically by
Security/3000  (we're not logging logon events since these are logged by
Security/3000 in it's own log file, however see below for a corresponding
VEAUDIT LISTLOG CONSOLE, which does show the console messages which can
include logon errors...)
-----
!job SECMONTR,manager.sys,pub;outclass=,1
::SETVAR YESTERDAY STRWRITE(TODAY-1:'MM/DD/YY')
!mpex
%nomsg purge badlogns
%sec listlog opviolation and date={yesterday} >badlogns
%save badlogns
insendfl.cmd BADLOGNS,[log in to unmask],&
"Security violations for today",[log in to unmask]
%exit
!eoj
-----
"insendfl" is a command file I've built that takes parameters as follows:

H:[TOM]/EMERSON/WORK>insendfl
Usage:
INSENDFL [file-to-send], recipient@address, [subject], [sender], [sender's
alias], [reply-to]

and a sample of the output:
                    VESOFT SECURITY/3000 LOG FILE   PAGE 1
     SYSTEM HERON   SECMONTR,MANAGER.SYS,PUB   MON, JUL  2, 2001,  7:00 AM

 TYPE :  DATE    TIME  DEV LOGON                      TARGET USER/VIOLATN
TYPE

Violat: 1JUL01  7:46AM 193 TINAT,SL.CCV               BAD PASSWORD
Violat: 1JUL01  3:48PM 185 ANNM,SL.CCV                BAD PASSWORD
Violat: 1JUL01  3:49PM 185 ANNM,SL.CCV                BAD PASSWORD
Violat: 1JUL01  3:49PM 185 ANNM,SL.CCV                BAD PASSWORD
   [note: this is three attempts during the same logon -- tom]

A corresponding VEAUDIT LISTLOG CONSOLE, limited to "security" related
messages looks like this:
H:[TOM]/EMERSON/WORK>veaudit listlog console @.@;search=(issecmessage)
              %LISTLOG CONSOLE @.@;search=(issecmessage)   PAGE
1
         SYSTEM HERON   TOM.EMERSON,WORK   MON, JUL  2, 2001, 10:00
AM


--DATE-- -TIME- -JOBID-  MESSAGE

01/06/30  8:01a #S55     FROM/SL.CCV/VESOFT SECURITY: BAD PASSWORD on LDEV
196
01/07/01  1:43p          MISSING ACCOUNT NAME FOR "CINDY,MANAGER.DE30000,"
ON LD
EV #185. (js 10)
01/07/01  3:49p #S162    FROM/SL.CCV/VESOFT SECURITY: BAD PASSWORD on LDEV
185
01/07/02 12:10a #S185    FROM/MANAGER.DE3000/VESOFT SECURITY: BAD PASSWORD
on LD
EV 202
01/07/02  6:40a          MISSING ACCOUNT NAME FOR "ROXZB,CS.CCB," ON LDEV
#199.
(js 10)
01/07/02  6:40a          MISSING ACCOUNT NAME FOR "ROXZB.CS,CCV" ON LDEV
#199. (
js 10)
01/07/02  8:01a #S230    FROM/SL.CCV/VESOFT SECURITY: BAD PASSWORD on LDEV
228
01/07/02  8:30a #S240    FROM/MGR.CCV/VESOFT SECURITY: TIMEOUT ON PASSWORD
on LD
EV 279
01/07/02  9:21a #S248    FROM/SL.CCV/VESOFT SECURITY: BAD PASSWORD on LDEV
291

As you can see, even just the "console" messages report can show a good
deal of information regarding failed logon attempts.

Tom

(oh, yeah, </plug>]

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *