Manualshelf

Installation guide

ManualsBrandsAbit ManualsComputer equipmentLicense Scanner
108109110111112113114115116117
115
# ls -la tenable_sc4_logs.prm
-rwxr-x--- 1 lce lce 17191 Oct 17 14:40 tenable_sc4_logs.prm
As a user with permissions to manipulate files in this directory, such as ‘root’ or ‘lce’, copy the tenable_sc4_logs.prm
file to a file with a similar but new name:
# cp tenable_sc4_logs.prm tenable_sc4_audit_logs.prm
Open the new file with a text editor to make changes to the new file. The first set of changes will be to create a unique
type:” for each event listed in the new PRM file in order to facilitate searches through SecurityCenter directly against
the new PRM file. In the example shown below, the “id=” is given a unique number, the “type:” for the “name=The
Security Center had a successful login.” event has been changed to “loginfo”:
id=8272
name=The Security Center had a successful login.
match= -
match=FO
match=|auth|
match=IN
match=|INFO|
match=lo
match=log
match=ce
match=ss
match=Successful login for
regex=Successful login for '([A-Za-z0-9\$\-\_]{1,25})' from ([0-9]+(\.[0-9]+){3})
log=event:SC4-Login user:$1 srcip:$2 type:loginfo
Selection or de-selection of events is accomplished through commenting or uncommenting events within the new PRM
file. For example, if your organization does not wish to audit SecurityCenter login events, find the “The SecurityCenter had
a successful login” section of the new file and add a “#” character to comment out the “id”, “name”, “match”, “regex” and
“log” lines for that event:
#id=8272
#name=The Security Center had a successful login.
#match= -
#match=FO
#match=|auth|
#match=IN
#match=|INFO|
#match=lo
#match=log
#match=ce
#match=ss
#match=Successful login for
#regex=Successful login for '([A-Za-z0-9\$\-\_]{1,25})' from ([0-9]+(\.[0-9]+){3})
#log=event:SC4-Login user:$1 srcip:$2 type:loginfo
When edits are completed, save the new PRM file to its current location. Ensure the file is owned by the lce user and lce
group with the correct permissions by running the following commands:
# chmod 750 tenable_sc4_audit_logs.prm
# chown lce:lce tenable_sc4_audit_logs.prm
The original PRM may be disabled by adding the name of the file to the /opt/lce/admin/disabled-
prms.txt file. See the section Excluding PRM Files in the LCE documentation.