I haven't worked with reports much before and I'm currently trying to
create a new report or customize an existing report to provide
management with user activity tracking on Unix/Linux boxes. Currently,
I'm trying to gather this information from test events generated on a
Solaris box to fulfill a requirement and demonstrate Sentinel can
provide the necessary reporting functionality. In Sentinel, I can locate
all the pertinent events and figure out which user did what, but
unfortunately, the events that are generated don't include all the
information in one event and providing management with all the events
will be confusing for them to figure out and will not be helpful.
Basically what I want to do is generate a report showing them things

User X logged into the system
su'd to root
Deleted a file as root

I am taking this information from the Solaris BSM events that are
generated on the box and sent to Sentinel via the Unix agent. If I
currently generate a report specifying that user's specific session ID,
I can follow everything the user does, but for each action the user
performs, there are many events generated on the system. For instance,
if the user deletes a file, I get two syscall events (execute and
unlink) and 1 pacct event (Command rm executed by user). The execute
event shows that the user executed a command on the file (rm), the
unlink event shows the command that was run as well, but also shows the
file that it was performed on, and pacct event shows the account the
user was su'd to at the time when the action was performed, but neither
the file name nor the user's session ID are tracked in this event.

I guess the big question is can I grab multiple pieces of information
from multiple events to create one report entry? I would like to be able
to generate a report and specify a machine name where it tracks a
session ID and essentially correlates events to create the necessary
information for each entry in the report.

Hopefully my explanation makes sense. Any help anyone can provide would
be greatly appreciated.


tyl3r32's Profile: https://forums.netiq.com/member.php?userid=11631
View this thread: https://forums.netiq.com/showthread.php?t=57325