HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

171

172

173

174

175

176

177

178

179

180

• Generate incremental reports (i.e., report alerts that were generated after the last generated

report)

• Select alert fields to be displayed in the report

• Sort alerts by severity, alert type, or date

• Initiate reports from the command line, from an interactive menu, or from a cron job

• e-mail the reports to any number of recipients

• Generate reports in .html, .txt, and .raw formats

The idsadmin Command Reporting Options

To generate alert reports, Invoke the idsadmin command as follows:

idsadmin [-v[vvv]] --report [OPTIONS]

Table 51 describes the various reporting options that you can use with the idsadmin –r

(--report) option.

Table 51 Reporting Options Supported by idsadmin

DescriptionOption

A comma-separated list of host names or IP

addresses of agent(s) to monitor and manage,

-a, --agent-hosts

host1:[srp1,srp2,......],host2:[srp1,srp2,......]...|

all | managed

if an agent is configured to monitor HP-UX

Containers (HP-UX SRP). Specify the

comma-separated list of Container (SRP)

names within square brackets appended to

host name or IP address of agent separated

by colon. Specify all to include all agent

hosts listed in sentinal.hosts, even those

not currently monitored by the HIDS GUI.

Specify managed to only include agent hosts

that are marked as managed by the HIDS

GUI. When used with the report option,

the default is managed. If the agent is

configured to monitor HP–UX Containers

(HP-UX SRP), all the Container (SRP) names

should be explicitly specified else the report

generated will not contain the Container

information.

Specifies that only alerts triggered by the

specified events are reported, where:

--alert-events event_1, event_2...

• create – report alerts triggered by a

creation event

• delete – report alerts triggered by a

deletion event

• modify – report alerts triggered by a

modification or potential modification

event

• login – report alerts triggered by

successful logins

• flogin – report alerts triggered by failed

logins

• su- report alerts triggered by successful su

attempts

• fsu – report alerts triggered by failed su

attempts

174 Tuning Schedules and Generating Alert Reports