Good afternoon Colleagues.
Decided to connect OS Linux Audit logs to ETD system (2.0 sp04) The connection was made according to the instructions, it sends logs from the OS to the rsyslog service (ver. 8.2106.0).
In ETD logs come as Unrecognized, this is what I see in SherLog:
- <182>2023-07-27T12:42:05.440189+05:00 sapServerHostName etd_audit_log type=CRED_REFR msg=audit(1690443721.691:108832): pid=32561 uid=0 auid=1001 ses=12458 subj==unconfined msg='op =PAM:setcred grantors=pam_rootok acct="lpar2rrd" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
- <182>2023-07-27T12:42:05.440198+05:00 sapServerHostName etd_audit_log type=USER_END msg=audit(1690443725.111:108834): pid=32461 uid=0 auid=1001 ses=12457 sub j==unconfined msg='op =PAM:session_close grantors=pam_loginuid,pam_systemd,pam_limits,pam_unix,pam_umask,pam_gnome_keyring,pam_env acct="lpar2rrd" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
The built-in Audit Log parser does not run to parse the logs. Maybe there is some undocumented feature that would make the built-in parser work? Or do I need to do something additionally with the sending format?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.