We just recently added a few HP_UX boxes to our Envision setup. When I go to the event viewer, I can see numerous events coming in, including services restarting, users logging on/off, super user activity, ftp activity, etc.
However, I cannot seem to get any of this data to come out in a report. The canned reports always show no data, and I can't seem to create a report or query to even find where this data is being stored. I've tried all of the Unix categories among others with no success.
Has anyone here ever configured reporting for HP_UX boxes or any other Unix flavours? If so, which table did you query?
Thanks in advance.
So are you saying that _all_ of the HPUX messages are unknown? If so, use the sendunknown message process with support to spin up the effort to get this resolved. It might be a simple as a header or configuration issue that is misalgned all the message formats. Support should be able to tell relatively qucikly.
The easist way to know if all of the messages are unknown is to graph events by type (I prefer event catetories) in the event viewer.
I recently sent a number of HPUX unknown messages to RSA also. In our case, syslog messages seem to come in an unexpected format with an oddball number attached to the action... e.g. "su: + tty?? root-xxxx". I'm told that RSA is working on it. Best I can tell it's HPUX versions 11.11 and 11.23 for us that are troublesome.
If you have followed the sendunknownmessages process and have a case number already for these issues then the expectation is an 8 week turn around time to get the updated xml's into your hands. What is nice is that these will be backwards compatable so your previously unknown messages will become known. If 8 weeks is too long for you, you need to involve your account team so that they can reach out internally to see if any extra 'love' can be applied to the case numbers.
We're seeing the same thing. In addition to the "+ tty??" we're also seeing just a number. Haven't run a sendunknownmessages yet, but we will here shortly.
Aug 28 12:07:01 su: + tty?? root-orabtr
Aug 28 12:30:07 su: + 5 operator-admadm
Aug 28 12:38:39 su: + 3 dclever-root
Aug 28 11:08:36 su: + 1 sebarltr-oracle
Aug 28 14:13:35 su: + 0 mdtarr-ad1adm
We also recently added a few HP-UX boxes to our Envision server, and I noticed something interesting ... despite my pleas to the contrary, our Unix sys admins still use telnet on a regular basis to log into these devices. I was trying to report on failed login attempts, and though Envision gets it right when it comes to failed ssh attempts, it seems to clasify the failed telnet attempts as successfull.
00022:02 login: pam_authenticate: error No account present for user 2009-07-08 16:40:55.0 10.5.78.213 borah.dsd.fmcna.com HP_UX / FreeBSD UNIX 0 0 0 5 0 0 0 0 0 0 1401060000 User.Activity.Successful Logins 2009-01-01 00:00:00.0
That just doesn't seem right to me ...
Anyone else having issues w/ HP-UX? The behavior seems to be the same across a couple different versions of the OS, too.