Hello, AFAIK, you can't run any UNIX ServerSensor without syslog.
>From the Server Sensor Installation Guide (RS_SvrSensor_IG_7.0.pdf): "... for UNIX sensors, you must enable syslog logging before any syslog based signatures can work (many non-network based signatures rely on the syslog)". You should also check the KB article #2902. Zoran ----- Original Message ----- From: "Kwan Chee Kin" <[EMAIL PROTECTED]> To: "Zoran Hrvoic" <[EMAIL PROTECTED]>; <[email protected]> Sent: Wednesday, March 16, 2005 3:20 PM Subject: Re: [ISSForum] AIX Server Sensor Not Working Hi, I'm not using any Syslog. Kwan --- Zoran Hrvoic <[EMAIL PROTECTED]> wrote: > I had a similar issue few years ago with AIX OS > Sensor. > Then the problem was trivial: the syslog daemon had > been writing to the > "/var/log/syslog.log" file, and the sensor expected > log in > "/var/log/syslog". > Check what is your syslog output file, and is it the > same file the sensor is > expecting. > > Zoran > > > ----- Original Message ----- > From: "Kwan Chee Kin" <[EMAIL PROTECTED]> > To: "Andres Riancho" <[EMAIL PROTECTED]>; > <[email protected]> > Sent: Saturday, March 12, 2005 10:24 AM > Subject: Re: [ISSForum] AIX Server Sensor Not > Working > > > Hi, > > Yes, I did try with another policy. It still won't > work. I did not install the network monitoring > component so I don't think that will work, will it? > I'm trying to get the auditting part work. > > Thanks. > > Best regards, > Kwan Chee Kin > > --- Andres Riancho <[EMAIL PROTECTED]> wrote: > > Have you tried with another policy ? Maybe you > could > > try to enable the event > > HTTP_GET for testing. > > > > Cheers , > > > > Andres Riancho > > > > ----- Original Message ----- > > From: "Kwan Chee Kin" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Thursday, March 10, 2005 7:32 AM > > Subject: [ISSForum] AIX Server Sensor Not Working > > > > > > > Hi, > > > I installed RS Server Sensor 7 on both AIX and > > > Windows. I got the Sensors on both platforms > > > communicating to the Site Protector 5. I applied > > the > > > default Attack_And_Audit_Policy into the > Sensors. > > Then > > > I tried to test on the audit part of this policy > > by > > > trying a brute force login to the Sensors. > > > > > > The Windows platform sensors shows me the events > > like > > > I expected but the AIX did not even show > anything. > > > There is not even an event showing 'root' access > > to > > > the system. > > > > > > I verified the Sensors is Active. Then I > verified > > that > > > the enforce audit policy is turned on in each > AIX > > > sensors and the Auditing in OS for the policy is > > > checked. > > > > > > What could be the problem? Anyone bump into such > > > problem before? > > > Will AIX sensors show me anything in the events > > like > > > telnet login? > > > Anyone knows any diagnostic tool I can check > > whether > > > the AIX sensor is working or not? > > > > > > Appreciate any comment. > > > Thank you. > > > > > > Best regards, > > > Kwan CK > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > > protection around > > > http://mail.yahoo.com > > > _______________________________________________ > > > ISSForum mailing list > > > [email protected] > > > > > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go > to > > https://atla-mm1.iss.net/mailman/listinfo/issforum > > > > > > To contact the ISSForum Moderator, send email to > > [EMAIL PROTECTED] > > > > > > The ISSForum mailing list is hosted and managed > by > > Internet Security > > Systems, 6303 Barfield Road, Atlanta, Georgia, USA > > 30328. > > > > > > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > _______________________________________________ > ISSForum mailing list > [email protected] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to > [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by > Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA > 30328. > > __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
