With a recent vulnerability I was working to set up a form of alert when a user attempts to access the TMUI / GUI with a string of characters that is used for remote code execution so that we could be alerted if such an event happens.
However this no longer shows up in just the audit logs as it used to. I discovered that starting in version 14 they moved these logs to /bin/logger and whlie I was able to verify that those logs exist locally, I need to figure out how to get those logs included in what gets sent to our remote loggers so that we can create an alert on our SIEM.
Anyone familiar with this and have any ideas?
FYI I already have a HSL pool with Log publishers (local and HSL log destinations) and filters set up. Those work fine but only for logs that are in /var/logs like everything used to be prior to 14. I am now running 15.1.0.