Unix
Unix allows you to monitor and identify threats in your organization using Unix data. Logpoint aggregates and normalizes the Unix logs so you can analyze the information through dashboards and security reports. Unix dashboards and reports provide visualization of event details for authentication requests, privilege escalation and user account management of the Unix environment detected in your network.
Key Information
Activate the label packages to apply specific labels and group similar logs together. To learn more, go to Activating Labels Packages.
Enhancements
Description | Issue ID | Reference ID |
---|---|---|
Added Syslog Collector based Linux log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template. |
KB-22616 |
- |
Past Released
Unix v5.3.0
Release Date: April 25, 2023
Supported On: Logpoint v6.7.0 and later
Download: Unix_5.3.0.pak
SHA256: cbf49fc62a2a205a7de2b9538c7bc350dae74476bba3028d490f710fa6c2e711
Enhancements
Description |
Issue ID |
Reference ID |
||||
---|---|---|---|---|---|---|
Added a new LP_Dell Data Domain normalization package to normalize the Dell Data Domain logs. |
KB-16520 |
65243 |
||||
Added a new signature in LP_Kernel to normalize Unix Kernel's new log format. | ||||||
Added new signatures in LP_Unix Crond, LP_Unix Rsyslogd and LP_Unix SU to normalize Crond, Rsyslogd and Switch User (SU) log's new format. |
KB-19146, KB-16688, KB-18334 |
70988, 65994, 68980 | ||||
Updated the version of UnixSysmonCompiledNormalizer, UnixCompiledNormalizer and UnixAuditLogNormalizer compatible to the latest Unix version. | ||||||
Updated the user field in the UnixCompiledNormalizer to accept only a username as a value. In addition, to assign a domain name use the new field domain. Previously, user accepted both a username and domain name as its value. |
KB-19738 |
71731 | ||||
Added Authentication label for UnixCompiledNormalizer. |
KB-18097 |
68372 | ||||
Replaced the status=Accepted field with status=Successful in the UnixCompiledNormalizer to maintain consistency. | ||||||
Updated LP_Unix Syslog NG and LP_Unix Inetd to normalize the Syslog NG and SSHD Log format correctly. | KB-12244, KB-17227, KB-17429 | 52334, 67195 | ||||
The following fields are updated and mapped to Logpoint taxonomy to maintain consistency:
|
||||||
Updated signatures in LP_Unix Ipmserver, LP_Unix Systemd, LP_Unix Named |
KB-18878 |
68790 | ||||
Updated UnixCompiledNormalizer to normalize the Snort Log format correctly. |
KB-19027 |
70682 | ||||
All the argument fields are combined in a single key for the Unix Audit logs with the EXECVE event. |
KB-17987 |
|||||
Added new signatures and labels in LP_Unix Generic to normalize the Debian Package Manager (DPKG) logs correctly. |
KB-17501 |
67571, 68665 | ||||
Added new signatures in LP_Unix Crond and LP_Unix Systemd to normalize Crond and Systemd logs. |
KB-16688, KB-17143 |
65994, 67153 |
Bug Fixes
The following issues are fixed:
Description |
Issue ID |
Reference ID |
---|---|---|
Some Systemd logs were not normalized by LP_Unix Systemd. |
KB-19438 |
71705 |
The file field was incorrectly mapped as target_file for the EventData_TargetFilename file in UnixSysmonCompiledNormalizer. |
KB-17545 |
|
The host field was not properly parsed by UnixAuditLogNormalizer. It took two different hostnames as a field value. |
KB-17405 |
67530 |
Unix v5.2.1
Release Date: May 16, 2022
Supported On: Logpoint v6.7.0 and later
Download: Unix_5.2.1.pak
SHA256: e443d60945b932ac689f6caf182779120091b40cdb56f5d76c53027818a6206b
Enhancements
Description |
Issue ID |
Reference ID |
---|---|---|
Updated the proctitle field in the UnixAuditLogNormalizer to capture the value in the ASCII format. Previously, proctitle captured the value only in hex format. | KB-16135 | - |
Updated UnixAuditLogNormalizer to normalize the Enriched Auditd Log format correctly. | KB-16136 | - |
Added new signatures in LP_Unix Systemd to normalize Unix Systemd's new log format. | KB-16252 | 64580 |
Updated signatures in LP_Unix Dockerd to normalize Unix Dockerd's new log format. | ||
Added the LP_Unix Possible DNS Server Modified alert. | KB-16664 |
- |
Modified the query of the following Unix alerts:
|
||
Removed the following Unix alerts:
|
Bug Fixes
The following issues are fixed:
Description |
Issue ID |
Reference ID |
---|---|---|
Some sshd and system logs were not normalized by LP_Unix SSHD and LP_Unix Systemd. | KB-16135 | 63617 |
Some Unix logs with the User Add/Delete to Group event were not properly normalized. |
KB-16396 | - |
Unix v5.2.0
Release Date: February 04, 2022
Supported On: Logpoint v6.7.0 or later
Enhancements
SN
|
Description
|
Issue ID
|
Reference ID
|
---|---|---|---|
1 |
New normalization packages are added:
|
- | - |
2 | A new compiled normalizer UnixSysmonCompiledNormalizer is added to normalize the Sysmon logs. | KB-15459 | 61052 |
3 |
New signatures are added in the following normalization packages:
|
KB-15573, KB-15662, KB-15651, KB-14167 | 61917, 62324, 62215, 59794 |
4 |
New signatures are added in the UnixCompiledNormalizer to normalize the sshd, systemd, and dbus-daemon logs. |
KB-14167 |
59794 |
5 | Session and Start labels are added for the session logs in the LP_Unix Systemd. | KB-15654 | 62215 |
6 | The Unix alerts are enhanced. To learn more, go to the Appendix section in the Unix v5.2.0 guide. | - | - |
Unix v3.4.0
Release Date: May 14, 2020
Supported On: Logpoint v6.0.0 to v6.6.6
Download: Unix_3.4.0.pak
SHA256: cbeacc05aed273ffe6021d9588fad496180d9e70433a48da195784719f1521bb
Unix has been upgraded to support Logpoint v6.7.0.
Enhancement
A minor update has been done in Unix’s normalizer for better signature handling.
Support
If you have any questions or require assistance, create a support ticket.
Hi, is there any alert packages for unix? Thanks.