NXLog Legacy Documentation

AIX Auditing (xm_aixaudit)

This module parses events in the AIX Audit format. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_aixaudit, which reads audit events directly from the kernel as it is recommended instead in cases where NXLog is running on the local system.

To examine the supported platforms, see the list of installer packages in the Available Modules chapter.

Configuration

The xm_aixaudit module accepts the following directives in addition to the common module directives.

Optional directives

EventsConfigFile

This optional directive contains the path to the file with a list of audit events. This file should contain events in AuditEvent = FormatCommand format. The AuditEvent is a reference to the audit object which is defined under the /etc/security/audit/objects path. The FormatCommand defines the auditpr output for the object. For more information, see IBM’s documentation on the AIX Auditing subsystem.

Fields

The following fields are used by xm_aixaudit.

$raw_event (type: string)

A list of event fields in key-value pairs.

$Command (type: string)

The command executed.

$EventTime (type: datetime)

The timestamp of the event.

$EventType (type: string)

The type of event (for example, login).

$Login (type: string)

Login name

$LoginUID (type: integer)

Login UID

$ParentPID (type: integer)

The parent process ID (PID).

$PID (type: integer)

The process ID (PID).

$Real (type: string)

Real user name

$RealUID (type: integer)

Real user ID

$Status (type: integer)

The status ID of the event.

$Thread (type: integer)

The kernel thread ID, local to the process.

$Verbose (type: string)

The audit record verbose description

$WPARkey (type: string)

Workload Partition key

$WPARname (type: string)

Workload Partition name

Examples

Example 1. Parsing AIX audit events

This configuration reads AIX audit logs from file and parses them with the InputType registered by xm_aixaudit.

nxlog.conf
<Extension aixaudit>
    Module              xm_aixaudit
    EventsConfigFile    modules/extension/aixaudit/events
</Extension>

<Input in>
    Module              im_file
    File                "/audit/audit3.bin"
    InputType           aixaudit
    ReadFromLast        FALSE
    Exec                delete($EventReceivedTime);
    Exec                delete($Login);
    Exec                delete($WPARname);
    Exec                delete($Real);
    Exec                to_json();
</Input>