Have you tried the auditd connector? That level of auditing is not turned on by default in Linux, so you might have to check out your Linux man pages to set that up, but the connector should pick that stuff up once you have it logging on the Linux side.
If you don't already have the sudo connector configured, you might want to set that one up too. This one tracks authentication events like the PAM connector does, but you might be able to get something more/different if it's of interest.
Let me know if that helps, and I'll KB it.
I do also have the auditd connector setup. Right now it basically shows up everything as InternalNewToolData. Then in Extraneousinfo it will show like USER AUTH or USER ROLE CHANGE and etc...
I also have sudo setup. This works good but in the Alert Name it usually shows up as File Execute. I haven't tried but I could maybe setup a filter to grab those unique commands but its a lot nicer setting the Alert Name saying specific to what I am doing so I can run reports or grab the data a little easier.
I am new to both LEM and Linux so I am still trying to grasp everything. I am just trying to find out the best ways to log all the data that is required. So I will take any input.
I believe there might be case open to update the connectors. #315533 just FYI.
Also the case open for this FEATURE REQUEST is #317345.
I was supposed to put that somewhere but i forgot until now.
Yeah...if you're seeing the InternalNewToolData alerts, the connector update case is the next step. The feature request case is good too in case the updated connector doesn't get you what you need.
Thanks for the suggestions.