Configuring aix audit to capure failed login but the audit stream data does not provide the ip address of where the failed login is trying to access the box. We are having issue putting info on failed login (ip address, user id, time) in /audit/stream.out file. All selected files have been defined and tagged accordingly in the /etc/security/audit/objects file, but I am not seeing the relevant information as it appears in /etc/security/failedlogin file captured in the /audit/stream.out file as expected.
The audit stream file provides this information:
USER_Login root FAIL_AUTH Mon Jan 07 10:47:52 2013 tsm
user: joesmith tty: /dev/pts/33
The /etc/security/failedlogin provides this information:
joesmith pts/6 Jan 09 16:59 (10.16.232.122)
I would like to capture the ip address in the audit file. Can anyone help?
Does anyone know how to configure audit to get the ip address or how to create a new event to capture the ip?