HP NonStop SSH Reference Manual Monitoring and Auditing • 283
$SSH49|22Dec10 15:43:07|172.16.123.103:1831: wronguser@172.16.123.103 authentication
failed (method none): System user 'wronguser' does not exist.
The following shows an audit message for a user trying to access the system with an existing user name, yet with an
invalid public key:
$SSH49|23Dec10 15:57:23|172.16.123.110:3945: comf.us@172.16.123.110 terminated session
$SSH49|23Dec10 15:57:23|172.16.123.110:3945: comf.us@172.16.123.110 authentication
denied (method publickey): authentication aborted by client.
The following shows an audit message for a user trying to access the system with an existing user name that is frozen:
$SSH49|23Dec10 17:16:07|172.16.123.110:1708: comf.us@172.16.123.110 authentication
failed (method none): User is frozen.
The following shows an audit message for a user trying to access a file for which his SYSTEM-USER has no access
rights:
$SSH49|23Dec10 17:22:42|172.16.123.110:1303(COMF.US): comf.us@172.16.123.110 open
/tmp/secret/file (mode read) failed (error 4013)
Destinations for Audit Messages
Similar as with log messages, the SSH2 component can send audit messages to three destinations:
• a file configured with the AUDITFILE parameter
• a device configured with the AUDITCONSOLE parameter
• a collector configured with the AUDITEMS parameter
By default, the SSH2 component does not write audit messages at all. It is possible to audit to one or more destinations at
the same time.
Note that audit messages do not have a "level" as log messages have, auditing is either turned on to a destination or it is
not.
See the section "Log File/Audit File Rollover" for information on how to assess the content of an audit file.
Customizing the Audit Format
SSH2 allows users to customize certain aspects of the appearance of audit messages. Using the AUDITFORMAT
parameter, you can add the current date to the log message header. Please refer to the AUDITFORMAT parameter
description for details.
Audit Reports
No tool is provided with SSH2 to create audit reports. However, given the simple format of the audit messages, any tool
with sufficient text filtering capabilities can be used to create reports.
Using OSS to look at the audit file (see section "Viewing File Contents from OSS"), it is possible to create flexible
reports with brief commands. If you need help in doing so, please contact the HP or comForte support team, depending
on which product you are using.
List of Audit Messages
The following table shows the complete list of audit messages as created from release 89 on.
Note: Not all audit event variations (with different conditions) are currently used but may be in the future. Token values
can be empty. Audit event pattern can change in the future.
To Next Page
Loading...
Need help?
General