Please help me !
The easiest thing to do here is deploy an agent to your Linux system, then go to Manage > Nodes, click the gear on the left side of that agent and go to "Tools". You'll want to configure tools related to the apps and services you have on that linux system. Common ones:
- PAM (under Operating Systems): For authentication data, you might need to change the log from /var/log/auth.log to /var/log/secure depending on your flavor of Linux
- Apache (under Web Servers): Apache Access and Error log data - check the default logging paths, they are correct for some distributions but others might have an "apache2" or specific logging
- Sudo (under Operating Systems): To monitor for usage of sudo, what's being ran under sudo, etc (PAM will show you when someone escalates to the sudo privilege, the sudo log will show you what they did)
- AuditD: If you've got linux auditd enabled, we can cover that
Linux doesn't have the same consolidated logging structure as Windows, a much more controlled platform. All of the "Security" stuff for Windows is consolidated to the security log, whereas Linux is more about the apps and services you're running and where they might log their information.
If you've got some apps or logs you'd like covered, let us know what they are and we can help point you to the right product integrations to enable.
Hi Nicole Pauls, thanks for answer my question.
And now i am running Red hat Enterprise Linux 4, first i want to get log of OS but and when i do with your guide i meet alert eventinfor Fail to Start FAST reader:reader failed to report the error
Please support me!
Without more info, it's hard to tell what's going on. It's possible you configured an incompatible tool (e.g. windows tool on linux), or there's a permissions problem accessing the log file (make sure the user running the agent, if it's not root, can access that log file), it's pointed at the wrong or a nonexistent log file (make sure the tool is pointed to a file that exists and is there), and that the error may have been a fluke (delete that tool and try configuring again).
There should be an "agent.log" file (or "spoplog.txt" or "spop.log") in your agent's install directory that may have more details about the error or other errors that are causing problems.
Hi there, I have a similar problem with the LEM evaluation, I've installed the agent for my Linux - CentOS 6.3 but seeing no logs to the the LEM monitor, and I found no agent.log file in the agent's directory (/usr/local/contego/ContegoSPOP) where the startup script specified. i.e.
root 5769 1 0 Nov15 ? 00:06:41 /usr/local/contego/ContegoSPOP/../ContegoSPOP/jre_1.6.0_26/bin/java -Djava.library.path=5.3.1\\lib com.zerog.lax.LAX /usr/local/contego/ContegoSPOP/SWLEMAgent.lax /tmp/env.properties.5769 "-lf" "/usr/local/contego/ContegoSPOP/agent.log"
On the other hand, I could only see the "InternalAgentOffline"/"InternalAgentOnline" alert when I take the agent offline and online in the LEM screen.
I would like to clarify that if I have installed the agent, I should still need to configure a "tool" to grep the monitoring items?
The answer to your question is yes, you do still have to configure connectors/tools to monitor logs after installing the agent. The agent software just connects it up to the appliance, the connectors/tools tell the agent which log files to monitor for which applications.
PS: If you're seeing the Agent Online/Offline alerts it means you've got connectivity to/from the appliance to the agent (all good) and you just need to configure it from there.
That's correct. This means that the agent connected with its IP address (doesn't know its hostname by that IP, I assume) but some events are coming in with the hostname. We use the info we have about the agent to resolve this problem, so in this case you'd want the agent to know that it's "CentOS63" and 10.10.6.144.
Two things that might resolve it - make sure the hosts file matches for CentOS63 and the IP address (edit /etc/hosts and make sure an entry for "CentOS63 10.10.6.144" exists), and alternatively doing the same thing on the DNS server the agent/manager are using. When the agent updates its hostname in the "Node Name" column, you can delete the non-agent node (the one on top) and it shouldn't return.
Thanks for your help and it get solved after adding the entry to the hosts file for CentOS63, but I face another question:
One of our user directed the syslog from a Linux box to LEM 5.5 and the LEM detected it as a new node, and he added it with the wizard (not by installing agent), but he found the logs coming in is with its IP address but in the Linux box it was logged with the host name.
In the linux log (/var/log/secure):
Jan 15 17:49:59 linux01 sshd: pam_unix(sshd:session): session opened for user john by (uid=0)
In the LEM log (/var/log/auth.log):
1358271556000 192.168.5.132 sshd: pam_unix(sshd:session): session opened for user john by (uid=0)
and from the LEM console, in the "Nodes" list, the node is listed with its Node IP and Node Name
The Linux box is on the same subnet as LEM and configured using the same DNS, the DNS has also configured the hostname with the IP address, when doing nslookup from a Windows host on the same subnet and using the same DNS server, the IP address can be resolved to the hostname:
according to your earlier reply above, the manager using the same DNS as the node should be able to display the hostname instead of the IP address. Does installing agent is a must to rectify the problem?