Hi again list, My team is trying to find a way to monitor logins, logouts, and failed logins on HP-UX using OSSEC. Problem is, HP-UX only records these in the binary wtmp and btmp files.
We've experimented with a few different methods that involve the process monitor, but they're all network-intensive, difficult for an analyst to understand, and/or unreliable. We've tried using check_diff to monitor the output of last; using the Unix diff command to compare previous and new outputs from last; and generating diff output into the regular syslog. None of these has worked well enough to deploy in the field. Has anyone ever tried something similar? Is there any way to configure OSSEC to use the HP-UX shell to alert on logins? Thanks! -Alisha Kloc
