AIX Auditing (im_aixaudit)
This module reads directly from the kernel, provided the AIX Audit subsystem has STREAM mode enabled, which is disabled by default. The xm_aixaudit module parses events from AIX Audit logs when BIN mode is enabled, which is the default setting. Both modes can be enabled and collect logs concurrently. For additional details, see Auditing mode: BIN and STREAM.
The AIX audit subsystem and the NXLog agent have default settings that are incompatible with each other.
Changing the directives
User nxlog and
Group nxlog to
User root and
Group system in the NXLog configuration will allow the module to read the required pseudo device and file, otherwise an error and warning will occur:
ERROR [im_aixaudit|aixaudit] Couldn't open /dev/audit;Permission denied WARNING [im_aixaudit|aixaudit] Couldn't read event config /etc/security/audit/events
By default, the AIX audit files located under
/etc/security/audit/* are owned by user
system.Changing their ownership or permissions could raise security flags (STIG finding V-91271).
Any reconfiguration of the AIX Audit subsystem requires it to be shut down and restarted for the changes to take effect.
# audit shutdown auditing reset
The AIX Audit subsystem defaults to BIN mode with STREAM mode disabled.
In order for NXLog to read from the default event stream
/dev/audit as shown in the configuration example below, set
start: binmode = on streammode = on ignorenonexistentity = no bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 10240 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off stream: cmds = /etc/security/audit/streamcmds streamcompact = off
After the configuration changes have been saved, the subsystem can be started.
# audit start
|To examine the supported platforms, see the list of installer packages in the Available Modules chapter.|
The im_aixaudit module accepts the following directives in addition to the common module directives.
This optional directive specifies the device file from which to read audit events. If this is not specified, it defaults to
This optional directive contains the path to the file with a list of audit events. This file should contain events in
AuditEvent = FormatCommandformat. The
AuditEventis a reference to the audit object which is defined under the
auditproutput for the object. For more information, see the The AIX Auditing subsystem resources on the IBM Documentation website.
See the xm_aixaudit Fields.
This configuration reads AIX audit events directly from the kernel via the(default)
/dev/audit device file.
<Input in> Module im_aixaudit DeviceFile /dev/audit </Input>