AIX Auditing (xm_aixaudit)
This module parses events in the AIX Audit format. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_aixaudit, which reads audit events directly from the kernel as it is recommended instead in cases where NXLog is running as a local agent on the system.
To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
Configuration
The xm_aixaudit module accepts the following directive in addition to the common module directives.
- EventsConfigFile
-
This optional directive contains the path to the file with a list of audit events. This file should contain events in
AuditEvent = FormatCommand
format. TheAuditEvent
is a reference to the audit object which is defined under the/etc/security/audit/objects
path. TheFormatCommand
defines theauditpr
output for the object. For more information, see IBM’s documentation on the AIX Auditing subsystem.
Fields
The following fields are used by xm_aixaudit.
$raw_event
(type: string)-
A list of event fields in key-value pairs.
$Command
(type: string)-
The command executed.
$EventTime
(type: datetime)-
The timestamp of the event.
$EventType
(type: string)-
The type of event (for example,
login
).
$Login
(type: string)-
Login name
$LoginUID
(type: integer)-
Login UID
$ParentPID
(type: integer)-
The parent process ID (PID).
$PID
(type: integer)-
The process ID (PID).
$Real
(type: string)-
Real user name
$RealUID
(type: integer)-
Real user ID
$Status
(type: integer)-
The status ID of the event.
$Thread
(type: integer)-
The kernel thread ID, local to the process.
$Verbose
(type: string)-
The audit record verbose description
$WPARkey
(type: string)-
Workload Partition key
$WPARname
(type: string)-
Workload Partition name
Examples
This configuration reads AIX audit logs from file and parses them with the InputType registered by xm_aixaudit.
<Extension aixaudit>
Module xm_aixaudit
EventsConfigFile modules/extension/aixaudit/events
</Extension>
<Input in>
Module im_file
File "/audit/audit3.bin"
InputType aixaudit
ReadFromLast FALSE
Exec delete($EventReceivedTime);
Exec delete($Login);
Exec delete($WPARname);
Exec delete($Real);
Exec to_json();
</Input>