RedHat Linux EventID's

Im looking for an index of some sorts, for RHEL EventID's
k3eperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

k3eperAuthor Commented:
A list of Events/IDs and what they mean
Michael WorshamStaff Infrastructure ArchitectCommented:
Linux servers (RHEL in this case) doen't have Event IDs like Microsoft Servers/OS systems have.

What kind of problem are you having?
k3eperAuthor Commented:
Not a problem as such, im just trying to understand the logs to be able to create alerts. I can clearly see MessageIDs in the logs. For instance "sshd(pam_unix)[30623]: session closed for user charm"
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

k3eperAuthor Commented:
of course 30623 is the ID im referring too
k3eperAuthor Commented:
The alerts are to be created in our SIEM
Michael WorshamStaff Infrastructure ArchitectCommented:
Actually the [30623] refers to the process ID on the server.

If you ssh to the Linux server and do a 'ps auuwx | grep ssh', you can see a listing of active ssh processes that are running (see example below). The number in the 2nd column is the process id that the application is currently running under.

Then, if you were to do 'cat /var/log/secure | grep process_id', you should see the following displayed (see 2nd example below).

[root@reaper ~]# ps auuwx | grep ssh
root      3294  0.0  0.0  62624   792 ?        Ss   Apr01   0:00 /usr/sbin/sshd
root     26335  1.5  0.3  88088  3288 ?        Ss   14:34   0:00 sshd: root@pts/0 
root     26366  0.0  0.0  61188   740 pts/0    S+   14:34   0:00 grep ssh

[root@reaper ~]# cat /var/log/secure | grep 26335 
Apr 19 14:34:56 reaper sshd[26335]: Accepted password for root from 192.168.0.4 port 64126 ssh2
Apr 19 14:34:56 reaper sshd[26335]: pam_unix(sshd:session): session opened for user root by (uid=0)

Open in new window

k3eperAuthor Commented:
Ok thanks for letting me know.

In that case how do you identify events, is it purely by the event message? Is there no way to simply it abit?
Michael WorshamStaff Infrastructure ArchitectCommented:
Linux is a totally different beast when it comes to monitoring. Even though there are a number of different solutions out there, the one I use most regularly is called Nagios (www.nagios.org) as it is fairly easy to setup, but just takes a little while for setting up all of the different servers you want to monitor and the modules for monitoring applications/processes, disk space, memory/cpu utilization, etc.

Installing Nagios: An Enterprise-Worthy Network Monitor
http://www.linux.com/learn/tutorials/298123-installing-nagios-enterprise-worthy-network-monitor

Install Nagios on CentOS 5
http://docs.cslabs.clarkson.edu/wiki/Install_Nagios_on_CentOS_5

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
svsCommented:
Nagios isn't meant to monitor log files.  Try logcheck or logwatch.

With logsurfer you can even more :-)
Michael WorshamStaff Infrastructure ArchitectCommented:
Actually you can check log files with Nagios...

Nagios plugins to monitor log files and log file management systems.
http://exchange.nagios.org/directory/Plugins/Log-Files

Log file monitoring using NAGIOS
http://www.experts-exchange.com/Networking/Network_Management/Q_24502020.html
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.