AIX Auditing (xm_aixaudit)
This module parses events in the AIX Audit format. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance.
| To examine the supported platforms, see the list of installation packages. |
Configuration
The xm_aixaudit module accepts the following directives in addition to the common module directives.
Optional directives
This optional directive contains the path to the file with a list of audit events.
This file should contain events in |
Fields
The following fields are used by xm_aixaudit.
-
$raw_event(type: string) -
A list of event fields in key-value pairs.
-
$Command(type: string) -
The command executed.
-
$EventTime(type: datetime) -
The timestamp of the event.
-
$EventType(type: string) -
The type of event (for example,
login). -
$Login(type: string) -
Login name
-
$LoginUID(type: integer) -
Login UID
-
$ParentPID(type: integer) -
The parent process ID (PID).
-
$PID(type: integer) -
The process ID (PID).
-
$Real(type: string) -
Real user name
-
$RealUID(type: integer) -
Real user ID
-
$Status(type: integer) -
The status ID of the event.
-
$Thread(type: integer) -
The kernel thread ID, local to the process.
-
$Verbose(type: string) -
The audit record verbose description
-
$WPARkey(type: string) -
Workload Partition key
-
$WPARname(type: string) -
Workload Partition name
Examples
This configuration reads AIX audit logs from file and parses them with the InputType registered by xm_aixaudit.
<Extension aixaudit>
Module xm_aixaudit
EventsConfigFile modules/extension/aixaudit/events
</Extension>
<Input in>
Module im_file
File "/audit/audit3.bin"
InputType aixaudit
ReadFromLast FALSE
Exec delete($EventReceivedTime);
Exec delete($Login);
Exec delete($WPARname);
Exec delete($Real);
Exec to_json();
</Input>