Verified Answers

If an answer to your question is correct, click on "Verify Answer" under the "More" button. The answer will now appear with a checkmark. Please be sure to always mark answers that resolve your issue as verified. Your fellow Community members will appreciate it! Learn more

  • State Verified Answer
  • Replies replies
    6
  • Subscribers subscribers
    26
  • Views views
    477
  • Users 0 members are here
  • +1 person also asked this people also asked this
  • Locked Locked
Related
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLOG filter file

davidkrotil
 

Hi,

I'm testing NSS auditing with VLOG and can't get it working. 

/opt/novell/vigil/bin/vlog --blockNssEventsOfVol DATA --filterFile /etc/opt/novell/vlog.conf --format CEF

in the vlog.conf is only this

:-roll -user_stop -user_start
DATA:/** (ADDTRUSTEE REMOVETRUSTEE SETINHERITEDRIGHTS) (*) (*)

I'm on OES 24.1

David

Tags:

  • 0

    I do it this way with sucess:

    /opt/novell/vigil/bin/vlog --blockNssEventsOfVol VOL1 --pattern "+VOL1:/PATH/** (*)" --format CSV -o <Path and file for the output>  -d

  • 0   in reply to 

    Tried not to use filter file, no change

    /opt/novell/vigil/bin/vlog --blockNssEventsOfVol DATA --pattern ":-roll -user_stop -user_start" --pattern "+DATA:/** (ADDTRUSTEE REMOVETRUSTEE SETINHERITEDRIGHTS)" --format CEF

    David

  • 0   in reply to   

    Can your command work to -- format CSV to separate out the CSV vs CEF part of it?

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • 0   in reply to   

    Still not working. I will open a ticket.

    P.S. I removed the filter pattern and I'm getting now events, looks like the pattern is the problem part.

    David

  • 0   in reply to   

    Yes, you have several things you are trying to focus on with those patterns.  If time was endless, the trial and error approach might get you there.  The first --pattern part (and that you could have two --pattern parts) is not one I am familiar with from my limited use of vlog to date, so it would be my first part to remove in any testing.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • Verified Answer

    +1  

    Problem is this switch --blockNssEventsOfVol DATA , I misinterpreted function of this switch. It works without it.

    David

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.