In case anyone runs into a similar issue with this. Tripwires documentation shows that instead of using syslog their default facility is user.log. However even after adjusting our connector still no go. I finally went through the list of facilities, testing, viewing, capturing. Finally hit the sweet spot. The Tripwire box, in our case, is using local0 for login/logout, change events...etc. So after adjusting our LEM connector to local0 all is well now. No mention of this in our .conf file that I could see. Even their support had no answers. Oh well lesson learned I suppose. Long live LEM!
↧