Hi, folks,
I have been asked to implement keylogging on our Linux servers in such a way that we can search the logs and see who ran what command. Step 1 of that seems pretty straightforward: implement auditd. Since we already own SEM, it seemed like a slam dunk to feeds the logs into SEM and have it parse them. We have duly configured auditd for maximum logging (and verified that audit.log contains the required data), installed the SEM agent, configured the Linux Sudo, Linux auditd, and Linux command connectors, and verified that SEM appears to be receiving the log data.
EDIT: I fixed an issue with our auditd config, so my previous message is no longer accurate. Now, what I'm seeing is that we get an entry with the following info:
Name: FileExecute
EVENT INFO: SYSCALL for "/bin/ls" succeeded
Unfortunately, one of the key pieces of data I want is buried in the inappropriately-named "ExtraneousInfo" field, which is only displayed when I click on the event. To wit, that's the field that contains the user and group ID fields. Is there a way to create a view or filter which displays the executing auid? Is there a way to map UIDs/GIDs to the associated names in /etc/passwd and /etc/group?