AIX Auditing (xm_aixaudit)
This module parses events in the AIX Audit format. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_aixaudit, which reads audit events directly from the kernel as it is recommended instead in cases where NXLog Agent is running on the local system.
| To examine the supported platforms, see the list of installation packages. |
Configuration
The xm_aixaudit module accepts the following directives in addition to the common module directives.
Optional directives
This optional directive contains the path to the file with a list of audit events.
This file should contain events in |
Fields
The following fields are used by xm_aixaudit.
$raw_event(type: string)-
A list of event fields in key-value pairs.
$Command(type: string)-
The command executed.
$EventTime(type: datetime)-
The timestamp of the event.
$EventType(type: string)-
The type of event (for example,
login).
$Login(type: string)-
Login name
$LoginUID(type: integer)-
Login UID
$ParentPID(type: integer)-
The parent process ID (PID).
$PID(type: integer)-
The process ID (PID).
$Real(type: string)-
Real user name
$RealUID(type: integer)-
Real user ID
$Status(type: integer)-
The status ID of the event.
$Thread(type: integer)-
The kernel thread ID, local to the process.
$Verbose(type: string)-
The audit record verbose description
$WPARkey(type: string)-
Workload Partition key
$WPARname(type: string)-
Workload Partition name
Examples
This configuration reads AIX audit logs from file and parses them with the InputType registered by xm_aixaudit.
<Extension aixaudit>
Module xm_aixaudit
EventsConfigFile modules/extension/aixaudit/events
</Extension>
<Input in>
Module im_file
File "/audit/audit3.bin"
InputType aixaudit
ReadFromLast FALSE
Exec delete($EventReceivedTime);
Exec delete($Login);
Exec delete($WPARname);
Exec delete($Real);
Exec to_json();
</Input>