HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)
template will not monitor a log file unless there is at least one string pattern specified by the watch
property.
The string patterns specified as values for the watch and ignore properties must be enclosed within
double quotes (") even if the pattern contains no white space characters; otherwise, a parsing error
will occur. String patterns that contain one of the special delimiter characters used by the template
parser (that is, pipe(|), ampersand (&) and comma (,)) should not have those characters escaped
because the string pattern within double quotes is only parsed by the regular expression parser
and not by the template parser, unlike Type I properties that are parsed both by the template parser
and the regular expression parser. However, to include double quotes (") as part of a pattern, the
double quotes must be escaped with a backslash (\) character.
The severity property value associated with a log file takes precedence over the global
log_severity_def property value (See, “Surveillance Schedule Section”). In case the severity
property value is empty or not specified, the global property log_severity_def value is used.
The following example specifies that entries logged to the log file /var/adm/syslog/
syslog.log will trigger an alert with severity 1 if the syslog entry indicates that a file system
is full on a logical volume other than one under/dev/vg03:
logfile | /var/adm/syslog/syslog.log
watch | "file system /dev/vg[0-9]+/.* full"
ignore | "file system /dev/vg03/.* full"
severity | 1
The watch and ignore property values are both specified using regular expression notation. For
more information on regular expressions, see “UNIX Regular Expressions ” (page 105).
Multiple instances of the logfile, watch, ignore, and severity properties can be specified
but need to be specified consecutively in a group. For example, the following template properties
specify that the apache web server's error log should be monitored for authentication failures
except for user ids and any alerts issued will have a severity of 2, whereas the access log should
be monitored for all HTTP 400 error codes except for GET and HEAD requests and any alerts will
have a severity of 3:
logfile | /opt/apache/logs/error_log
watch | "authentication failure for"
ignore | "user ids"
severity | 2
logfile | /opt/apache/logs/access_log
watch | "\".* HTTP/[0-9].[0-9]\" 4[0-9][0-9]"
ignore | "GET" | "HEAD"
severity | 3
NOTE: For more information about regular expressions, see: “UNIX Regular Expressions ” (page
105)
Alerts generated by this template
Log File Monitoring
Table 40 (page 146) lists the alert properties the Log File Monitoring template generates and
forwards to a response program when log entries matching a string pattern are detected.
Table 40 Log File Monitoring Alert Properties
DescriptionAlert Value/FormatAlert Field
Type
Alert FieldResponse
Program
Argument
Unique code assigned to template10IntegerTemplate Codeargv[1]
Template version<version>IntegerVersionargv[2]
Specifies alert severity. Alert
severity is configurable.
<severity level>IntegerSeverityargv[3]
146 Templates and Alerts