You can monitor system and application logs to obtain in-depth information about user, system, and application behavior.
The following tables describe recommendations for log files you can monitor and the regular expressions for which you can search for monitoring security, device failures, system capacity, Windows security, and applications and systems:
|
Description |
Log File to Monitor |
Regular Expression |
|---|---|---|
|
WARNING - daemon core |
/var/log/daemon-log |
core dumped |
|
WARNING - daemon core |
/var/log/syslog |
core dumped |
|
Monitor SU attempts |
/var/adm/messages |
su.*fail |
|
Monitor rlogins |
/var/log/syslog |
in.rlogin |
|
Monitor telnets |
/var/log/syslog |
in.telnet |
|
Monitor rsh |
/var/log/syslog |
in.rsh |
|
WARNING - Illegal Instruction, Daemon |
/var/log/daemon-log |
.*llegal.*nstruction |
|
Spam Relay Attempt |
/var/log/syslog |
Relaying denied |
|
Monitor DENY packets from a Linux firewall |
/var/log/messages |
DENY |
Note: The log files described in this section are not the same for all operating systems. These examples are provided for reference. You should alter them for your operating system.
The following table describes the recommendations for regular expressions for which you can search in the syslog (/var/adm/messages) to monitor for device failures:
|
Description |
Regular Expression |
|---|---|
|
Critical: Badtrap Error |
.*BAD TRAP.* |
|
Error: SCSI error |
.*SCSI.*[E,e]rror.* |
|
Error: SCSI error |
.*SCSI.*failed.* |
|
Error: SCSI error |
.*SCSI.*hung.* |
|
Critical: badsimms error |
.*SIMM.* |
|
Critical: badsimms error |
.*BAD.*SIMM.* |
|
Critical: memory error |
.*[M,m]emory [E,e]rror.* |
|
Error: disk error |
.*disk not responding.* |
|
Error: disk error |
.*[D,d]isk.*[E,e]rror.* |
|
'Warning: disk fragmentation error' |
.*optimization changed.* |
|
Error: disk error |
.*corrupt label.* |
|
Error: I/O error |
.*I/O.*[E,e]rror.* |
|
Error: disk read/write errors |
.*Error for Command:.*[read,write].* |
|
Error: media error |
.*Media Error.* |
|
Info: serialport error |
.*zs[0,1,2]: silo overflow.* |
|
Warning: carrier error |
.*no carrier.* |
|
Warning: link is down |
.*Link Down - cable problem?.* |
|
Error: SDS error |
.*[NOTICE,WARNING,PANIC]: md:.* |
The following table describes recommendations for regular expressions for which you can search in /var/adm/messages to monitor system capacity:
|
Description |
Regular Expression |
|---|---|
|
Critical: memory error |
*[O,o]ut of [M,m]emory.* |
|
Critical: memory error |
.*[F,f]ile system full.* |
|
Error: diskspace error |
.*No space left on device.* |
The following table describes recommendations for which logs and expressions you can monitor in the Windows event logs to monitor Windows security:
|
Description |
Event Log |
Security Type |
Regular Expression |
|---|---|---|---|
|
Random Password Hack |
Security |
All |
.*bad |
|
Misuse of Privileges |
Security |
All |
.*[user rights,group management,security change, restart,shutdown] |
|
Improper File Access |
Security |
Failure |
.*[read,write] |
|
Improper Printer Access |
Security |
Failure |
|
|
Virus Outbreak Warning: program files updated |
Security |
All |
.*write.*[exe,dll,com] |
|
Security Policies Change |
Application |
Information |
.*[S,s]ecurity policy |
The following table describes recommendations for which logs and expressions you can monitor in the Windows event logs to monitor applications and systems:
|
Description |
Event Log |
Security Type |
Regular Expression |
|---|---|---|---|
|
Application Error or Failure |
Application |
All |
.*[F,f]ail|.*[E,e]rror |
|
Application Load Problems |
Application |
All |
.*[L,l]oad.*[P,p]roblem |
|
New Software Installed |
Application |
All |
.*[INSTALL,Install,install] |
|
Server Process failed during Initialization |
Application |
All |
.*4131 |
|
Disk Failures and errors |
All |
All |
.*[D,d]isk |
|
Network Adapter Errors |
All |
Error |
.*[N,n]etwork [A,a]dapter |
|
Copyright © 2013 CA.
All rights reserved.
|
|