HP-UX Host Intrusion Detection System Version 4.4 Administrator Guide (5900-1634, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

141

142

143

144

145

146

147

148

149

150

Table 39 Log File Monitoring Template Properties

DescriptionDefault ValueTypeName

The absolute pathname of the log file

being monitored.

/opt/apache/logs/error_logXIlogfile

Regular expression string patterns that

specify log entries of interest.

“authentication failure for"Xwatch

Regular expression string patterns to

selectively filter out log entries that

matched a "watch" pattern.

"user ids"Xignore

Severity of alert generated when a log

entry of interest is detected.

2VIIIseverity

If a log entry matches a string pattern in the watch property and does not match a string pattern

in the ignore property, then an alert is generated. If a log entry matches a string pattern in the

watch property as well as a string pattern in the ignore property, then the log entry will be ignored

and an alert will not be issued. The watch and ignore properties are optional. However, the

template will not monitor a log file unless there is at least one string pattern specified by the watch

property.

The string patterns specified as values for the watch and ignore properties must be enclosed within

double quotes (") even if the pattern contains no white space characters; otherwise, a parsing error

will occur. String patterns that contain one of the special delimiter characters used by the template

parser (that is, pipe(|), ampersand (&) and comma (,)) should not have those characters escaped

because the string pattern within double quotes is only parsed by the regular expression parser

and not by the template parser, unlike Type I properties that are parsed both by the template parser

and the regular expression parser. However, to include double quotes (") as part of a pattern, the

double quotes must be escaped with a backslash (\) character.

The severity property value associated with a log file takes precedence over the global

log_severity_def property value (See, “Surveillance Schedule Section”). In case the severity

property value is empty or not specified, the global property log_severity_def value is used.

The following example specifies that entries logged to the log file /var/adm/syslog/

syslog.log will trigger an alert with severity 1 if the syslog entry indicates that a file system

is full on a logical volume other than one under/dev/vg03:

logfile | /var/adm/syslog/syslog.log

watch | "file system /dev/vg[0-9]+/.* full"

ignore | "file system /dev/vg03/.* full"

severity | 1

The watch and ignore property values are both specified using regular expression notation. For

more information on regular expressions, see “UNIX Regular Expressions ” (page 106).

Multiple instances of the logfile, watch, ignore, and severity properties can be specified

but need to be specified consecutively in a group. For example, the following template properties

specify that the apache web server's error log should be monitored for authentication failures

except for user ids and any alerts issued will have a severity of 2, whereas the access log should

be monitored for all HTTP 400 error codes except for GET and HEAD requests and any alerts will

have a severity of 3:

logfile | /opt/apache/logs/error_log

watch | "authentication failure for"

ignore | "user ids"

severity | 2

logfile | /opt/apache/logs/access_log

watch | "\".* HTTP/[0-9].[0-9]\" 4[0-9][0-9]"

ignore | "GET" | "HEAD"

severity | 3

148 Templates and Alerts