AIX Auditing (xm_aixaudit)

This module parses events in the AIX Audit format. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_aixaudit, which reads audit events directly from the kernel as it is recommended instead in cases where NXLog Agent is running on the local system.

Configuration

The xm_aixaudit module accepts the following directives in addition to the common module directives.

Optional directives

EventsConfigFile

This optional directive contains the path to the file with a list of audit events. This file should contain events in AuditEvent = FormatCommand format. The AuditEvent is a reference to the audit object which is defined under the /etc/security/audit/objects path. The FormatCommand defines the auditpr output for the object. For more information, see IBM’s documentation on the AIX Auditing subsystem.

Fields

The following fields are used by xm_aixaudit.

$raw_event (type: string)

A list of event fields in key-value pairs.

$Command (type: string)

The command executed.

$EventTime (type: datetime)

The timestamp of the event.

$EventType (type: string)

The type of event (for example, login).

$Login (type: string)

Login name

$LoginUID (type: integer)

Login UID

$ParentPID (type: integer)

The parent process ID (PID).

$PID (type: integer)

The process ID (PID).

$Real (type: string)

Real user name

$RealUID (type: integer)

Real user ID

$Status (type: integer)

The status ID of the event.

$Thread (type: integer)

The kernel thread ID, local to the process.

$Verbose (type: string)

The audit record verbose description

$WPARkey (type: string)

Workload Partition key

$WPARname (type: string)

Workload Partition name

Examples

Example 1. Parsing AIX audit events

This configuration reads AIX audit logs from a file and parses them with the InputType registered by xm_aixaudit.

nxlog.conf
<Extension aixaudit>
    Module              xm_aixaudit
    EventsConfigFile    modules/extension/aixaudit/events
</Extension>

<Input in>
    Module              im_file
    File                "/audit/audit3.bin"
    InputType           aixaudit
    ReadFromLast        FALSE
    Exec                delete($EventReceivedTime);
    Exec                delete($Login);
    Exec                delete($WPARname);
    Exec                delete($Real);
    Exec                to_json();
</Input>