Unix Auditing and Reporting
Unix systems are popular in many organizations, and auditing the syslogs of the Unix systems can provide important information on the events in your network. This information will help you decide on various administrative and security actions. Auditing Unix systems involves:
- Monitoring all Unix system logons and logoffs.
- Tracking all changes to user accounts and groups.
- Staying aware of all instances when a removable device is plugged into or taken out of your network.
- Tracking all sudo command executions.
- Monitoring Unix mail and FTP servers for actions performed, errors, and more.
- Learning of any potential security threats so you can preempt them.
- Identifying all events occurring at each severity level, including critical events.
- Tracking several other events such as session connections, NFS mounts, and more.
Auditing Unix systems gives you complete control over the security and management of your network. But, it is not that simple. You can instead use EventLog Analyzer, a comprehensive syslog management solution, to maintain a secure Unix system.
Auditing Unix Systems with EventLog Analyzer
- Complete Unix log management and auditing.
- Monitor Unix processes, user activity, mail servers, and more.
- Over 100 predefined reports exclusively for Unix systems, including server errors, server usage, and security reports.
- Customize, schedule, and export reports as needed and even define custom reports.
- Reports are provided in graph, list, and table formats, and you can easily pull up the plain-text log information from any report entry.
- Receive instant email or SMS notifications for all events you want to track in real time.
- The correlation feature provides a device of customizable rules to alert you when specific events occur in sequence.
- The logs are securely archived and easily searchable with the product-flexible log forensics feature.
Unix Logon and Logoff Reports
- Track all logons and logoffs, including individual methods for logging on such as SU, SSH, and FTP logons.
- Overview and top N reports summarize information and present the users and devices with the most frequent logon
User logons | SU logons | SSH logons | FTP or SFTP logons | Logon overview | Top logons based on user | Top logons based on device | Top logons based on remote device | Top Unix logon method | Logon trend | User logoffs | SU logoffs | SSH logoffs | FTP or SFTP logoffs | Logoff overview
Unix Failed Logon Reports
- View a list of all failed logons.
- Top N reports reveal the users whose logon attempts fail most frequently.
- Identify users with multiple consecutive authentication failures.
- Identify remote devices generating the highest number of failed logon attempts.
User failed logons | SU failed logons | SSH failed logons | FTP or SFTP failed logons | Failed logons overview | Top failed logons based on user | Top failed logons based on device | Top failed logons based on remote device | Top failed logon methods | Failed logon trends | Repeated authentication failures | Invalid user logon attempts | Unsuccessful logon failures with long password | Repeated logon failure based on remote device | Repeated authentication failures based on remote device
- Discover all user accounts and groups that have been added, removed, or renamed.
- Identify failed password changes and newly added users.
- Learn the user account management tasks that occur most frequently.
Added user accounts | Deleted user accounts | Renamed user accounts | Groups added | Groups deleted | Groups renamed | Password changes | Failed password changes | Failed user additions | Top Unix account management events
Unix removable disk auditing
- Audit the use of removable devices on your Unix systems.
- Learn the details of each time a removable device is plugged into or taken out of the network.
USB plugged in | USB taken out
- View details of all successful and failed sudo command executions.
- Identify the most frequently attempted sudo commands.
SUDO command executions | Failed SUDO command executions | Top SUDO command executions | Top failed SUDO command executions
- Obtain an overview of the email server usage pattern and view the trends associated with emails sent and received.
- Identify the users and remote devices sending and receiving the most email.
- Discover the domains that send, receive, or reject the most email.
- Track errors such as mailbox unavailable, insufficient storage, bad sequence of commands, and more.
- Discover the errors that occur most frequently.
Emails sent overview | Emails received overview | Top emails sent based on sender | Top emails sent based on remote device | Top emails received from remote devices | Top sender domain | Top recipient domain | Trend report on emails sent | Trend report on emails received | Top emails rejected based on sender | Top receivers who rejected emails | Top email rejection errors | Top rejected domains | Emails rejected overview | Mailbox unavailable | Insufficient storage | Bad sequence of commands | Bad email Address | Nonexistent email address on remote side | Top email errors | Top email errors based on sender | Failed email deliveries
- Discover potential security concerns so you can proactively prevent them.
- Identify errors that do not need corrected.
Reverse lookup errors | Bad deviceConfig errors | Bad ISP errors | Invalid connection remote device | Denial of service attack
Unix NFS Events
- Obtain details for all successful and denied NFS mounts.
- Identify the users and remote devices with the highest number of denied NFS mounts.
Successful NFS mounts | Refused NFS mounts | Denied NFS mounts based on users | Top successful NFS mounts based on remote device | Top refused NFS mounts based on remote device.
Unix other Events
- Identify services that have been deactivated.
- View details of sessions that have been connected and disconnected.
- Stay aware of any timeouts during the logging process.
- Track mismatched errors in device names or addresses.
Connection aborted by a software | Receive identification string | Session connected | Session disconnected | Deactivated services | Unsupported protocol version | Timeout while logging | Failed updates | deviceName mismatch error | deviceAddress mismatch error
Unix FTP Server Reports
- Obtain details for all file downloads and uploads.
- View details for timeouts that occur during logon, data transfer, idle sessions, and connections.
- Identify users and remote devices who perform the highest number of FTP operations.
File downloads | File uploads | Data transfer stall timeouts | Logon timeouts | Session idle timeouts | No transfer timeouts | Connection timeouts | FTP reports overview | Top FTP operations based on user | Top FTP operations based on remote device
- Track important system events such as the stopping and restarting of syslog service, low disk space, and executions of the yum command.
Syslog service stopped | Syslog service restarted | Low disk space | System shutdown | Yum installs | Yum updates | Yum uninstalls
- View events logged at each severity level, from emergency to debug.
Emergency events | Alert events | Critical events | Error events | Warning events | Notice events | Information events | Debug events
Unix Critical Reports
- View critical events based on the event, device, or remote device responsible for generation.
- A trend report is provided to uncover patterns in the occurrence of critical events.
Criticality level of events | Critical reports based on event | Critical events based on device | Critical events based on remote device | Critical event trends | Critical events overview