RedHat Linux EventID's

Im looking for an index of some sorts, for RHEL EventID's
k3eperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

k3eperAuthor Commented:
A list of Events/IDs and what they mean
0
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Linux servers (RHEL in this case) doen't have Event IDs like Microsoft Servers/OS systems have.

What kind of problem are you having?
0
k3eperAuthor Commented:
Not a problem as such, im just trying to understand the logs to be able to create alerts. I can clearly see MessageIDs in the logs. For instance "sshd(pam_unix)[30623]: session closed for user charm"
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

k3eperAuthor Commented:
of course 30623 is the ID im referring too
0
k3eperAuthor Commented:
The alerts are to be created in our SIEM
0
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Actually the [30623] refers to the process ID on the server.

If you ssh to the Linux server and do a 'ps auuwx | grep ssh', you can see a listing of active ssh processes that are running (see example below). The number in the 2nd column is the process id that the application is currently running under.

Then, if you were to do 'cat /var/log/secure | grep process_id', you should see the following displayed (see 2nd example below).

[root@reaper ~]# ps auuwx | grep ssh
root      3294  0.0  0.0  62624   792 ?        Ss   Apr01   0:00 /usr/sbin/sshd
root     26335  1.5  0.3  88088  3288 ?        Ss   14:34   0:00 sshd: root@pts/0 
root     26366  0.0  0.0  61188   740 pts/0    S+   14:34   0:00 grep ssh

[root@reaper ~]# cat /var/log/secure | grep 26335 
Apr 19 14:34:56 reaper sshd[26335]: Accepted password for root from 192.168.0.4 port 64126 ssh2
Apr 19 14:34:56 reaper sshd[26335]: pam_unix(sshd:session): session opened for user root by (uid=0)

Open in new window

0
k3eperAuthor Commented:
Ok thanks for letting me know.

In that case how do you identify events, is it purely by the event message? Is there no way to simply it abit?
0
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Linux is a totally different beast when it comes to monitoring. Even though there are a number of different solutions out there, the one I use most regularly is called Nagios (www.nagios.org) as it is fairly easy to setup, but just takes a little while for setting up all of the different servers you want to monitor and the modules for monitoring applications/processes, disk space, memory/cpu utilization, etc.

Installing Nagios: An Enterprise-Worthy Network Monitor
http://www.linux.com/learn/tutorials/298123-installing-nagios-enterprise-worthy-network-monitor

Install Nagios on CentOS 5
http://docs.cslabs.clarkson.edu/wiki/Install_Nagios_on_CentOS_5
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
svsCommented:
Nagios isn't meant to monitor log files.  Try logcheck or logwatch.

With logsurfer you can even more :-)
0
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Actually you can check log files with Nagios...

Nagios plugins to monitor log files and log file management systems.
http://exchange.nagios.org/directory/Plugins/Log-Files

Log file monitoring using NAGIOS
http://www.experts-exchange.com/Networking/Network_Management/Q_24502020.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.