AIX Auditing (xm_aixaudit)
This module parses events in the AIX Audit format. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_aixaudit, which reads audit events directly from the kernel as it is recommended instead in cases where NXLog is running on the local system.
To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
Configuration
The xm_aixaudit module accepts the following directives in addition to the common module directives.
Optional directives
This optional directive contains the path to the file with a list of audit events.
This file should contain events in |
Fields
The following fields are used by xm_aixaudit.
$raw_event
(type: string)-
A list of event fields in key-value pairs.
$Command
(type: string)-
The command executed.
$EventTime
(type: datetime)-
The timestamp of the event.
$EventType
(type: string)-
The type of event (for example,
login
).
$Login
(type: string)-
Login name
$LoginUID
(type: integer)-
Login UID
$ParentPID
(type: integer)-
The parent process ID (PID).
$PID
(type: integer)-
The process ID (PID).
$Real
(type: string)-
Real user name
$RealUID
(type: integer)-
Real user ID
$Status
(type: integer)-
The status ID of the event.
$Thread
(type: integer)-
The kernel thread ID, local to the process.
$Verbose
(type: string)-
The audit record verbose description
$WPARkey
(type: string)-
Workload Partition key
$WPARname
(type: string)-
Workload Partition name
Examples
This configuration reads AIX audit logs from file and parses them with the InputType registered by xm_aixaudit.
<Extension aixaudit>
Module xm_aixaudit
EventsConfigFile modules/extension/aixaudit/events
</Extension>
<Input in>
Module im_file
File "/audit/audit3.bin"
InputType aixaudit
ReadFromLast FALSE
Exec delete($EventReceivedTime);
Exec delete($Login);
Exec delete($WPARname);
Exec delete($Real);
Exec to_json();
</Input>