2 Replies Latest reply on Apr 22, 2008 3:10 PM by Stephen Moss

    About logging and tracking

    Gerardo Bartoccini





      I have been requested to put together a proposal for BladeLogic as a tool for logging and tracking purposes.


      They know we can do more, but in this particular case we have to fulfill only these requirements.


      Hopefully this will be a way of getting a new customer, to whom we will show all our features later on.




      What I’m looking for now, is if anyone there has already produced a document about this, including


      1) how to report on keystroke logs (this comes from several customers)


      2) how to collect logs and make them usable


      3) how to restrict access to servers other than through BladeLogic


      4) how to create tracking tools through audits etc. (we will include something called Configuration Drift here)




      Anything similar to this, if not exactly this, will be highly helpful.





        • 1. Re: About logging and tracking

          Here are my thoughts on the subject:


          1) Keystroke logs only kick in when you run nexec commands. Otherwise its standard rscd logging - in which case normal Reports User Activity will give this to you. This is especially useful if someone starts another shell such as ksh/bash/whatever - as it starts logging what the user does within this session. You could use the standard activity report to see who started a session and then use blkeylogman against the server to see the details.


          2) I think (need to check) you can forward the keystroke logs to syslogs on a server. From here you can forward to a log server if you need to centralise them. Depends on what your idea of usable is I guess :-). Alternatively/additionally I guess as a 'hack' you could create an extended object to list the logs and run compliance to look for specific actions.


          3) Probably easiest from a firewall. Alternatively just stop all telnet/ssh/ftp services. You'd always need some time of ILO access I would have thought. Would make managing Windows servers very difficult as well.


          4) Also you can setup access alerts for objects. Also remember you can define audit trails and alerts in system authorizations.

          • 2. Re: About logging and tracking

            On point #3 yes a iptables/ipf firewall would work.


            Alternatively tcpwrappers might with BL -anyone know? If you put an entry into the /etc/services and referenced it might that not work? Red Hat should have it installed by default - not sure about other OS's.


            I don't have a decent setup in order to test it for you using BL(still setting up my demo env...ugh).


            If you give it a shot there should not be much to it:

            Make sure you add each port/service needed by BL to the /etc/services file.


            The most secure way to configure tcpwrappers is to deny everything by default.


            /etc/hosts.deny should contain only the line


            ALL: ALL


            Then you can add services to /etc/hosts.allow as appropriate. For example


            swat: 192.168.5. : severity notice

            sshd: KNOWN : severity notice

            ALL: LOCAL : severity notice


            You do not need to restart anything after changing these files. They are reread every time a connection is made.


            More info here: