Linux auditd and Snare - events to look for

[peenacolada69 () yahoo com]

I have some Linux servers.   I have set up auditd and Snare on them, in order to capture security-related log entries 
occurring on these servers.  (As a starting point, I am using Snare's pre-configured settings for Payment Card 
Industry, in order to quickly start capturing some security-related log entries). 

This generates > 100,000 log entries per day from each server.  I will likely store most of these log entries, in case 
one day a forensic investigation needs to be performed.

Now I need to find the "important" security-related events in these logs.  The stuff I would want to know about sooner 
rather than later.  Things like the auditing configuration being changed, a new user being added, software 
installation, etc.

My question is, what log entries/text strings is everyone else out there searching for?

I am looking for specifics.  For example, when a user is added, what are those one or two relevant strings to search 
for out of the hundreds or thousands of log entries created?  What are the strings you "grep" your Linux auditd/Snare 
logs for?  (Not the syslogs; auditd has different info than the syslogs).

TIA

Ely 

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------