In part 1 and part 2 we installed ACS for collection Windows and Linux events. In part 3 I am going to show how the cross platform ACS works in an easy example.
In part 2 we had a close look at a specific rule called Delete User. I think this is a perfect example to see how the process runs.
First we create a user account, set a password for this account and delete this user afterwards. Sound silly, but it is a good example to see what happens. Ok, let’s do it…
Setting User Account
Start a terminal on Linux01.bigfirm.com and type the following commands…
- Create user “myuser02” => useradd myuser02
- Set password => passwd myuser02
- Delete user => userdel myuser02
Note: If you want to look at the last ten lines of a log file e.g. /var/log/messages you can type:
tail –f /var/log/messages
Here just an example how it looks like…
View Windows Security Event Log
After we have created the user myuser02 lets jump to the Windows security event log of MS01.bigfirm.com and surprise, surprise we will see there many events which are continually growing…
To get a better overview, we need to filter the event log. We have seen that the event ids which are logged by the cross platform rules are in the range of event id 27000 to 27100. Therefore we are going to apply an event log filter…
Immediately we just have those events visible we are interested in. In this example we see that the Linux monitoring account monuser elevates its permission using sudo.
Note: If you are going to monitor a UNIX/Linux server you need to specify an account to interact with the UNIX/Linux system. If this account needs permission to access certain log files it will grab the necessary permission by elevating using sudo, similar to “Run As” in Windows. This is what we are seeing here…cool 
.
At the beginning of this post we created a user myuser02. Soon after we typed the command, this action gets logged and presented in the Windows event log. If you look closely you will see the command useradd in the event…
Another event that appears is the password change, again you will see the passwd command in the event…
And finally the deletion of the user…
Note: The event id of the user deletion is 27005. The same event id we have seen in the rule in part 2.
Running Reports
Now let’s check the reports…
Go to the Reporting section to Cross Platform Audit Reports and start Unix_Forensic_-_All_Events_For_Specified_Computer and in provide the source Linux computer name…
I this example you will find our friendly event id 27005. The funny / sad thing is, that the reports are still from SCOM 2007 ….
Let’s try another report from the Audit Reports section Forensic_-_All_Events_With_Specified_Event_ID and submit the event id 27005…
In this updated SCOM 2012 report we just see when those events occurred…
We have seen how the events from Linux are submitted and how the reports look like. There are many other events and reports you could try out…
Have fun!
Can this be done in powershell do you know ? as would also be useful to know if working from core servers