Im part of the security team in a company and we have the administration and management and reporting of a SIEM solution.
The SIEM collects a huge amount of logs coming from our AIX platform, categorises, prioritises and classifies it.
Mounted on AIX there is our Oracle Core DB.
The SIEM collects almost 24,000 logs (each day) from AIX with a "medium priority" SIEM classification, wich means that we need to investigate what & why these events are registered.
The main purpose is to identify security threats, but with the raw logs we cant fully understand this. Can you help me identifying wich of this are normal behaviours and wich not?
The EventID that the SIEM collect are (with example):
Dec 30 17:16:07 [hostname] NSM_AIX_AUDIT: FS_Rmdir [root_user] OK Mon Dec 30 17:16:06 2013 java Global remove of directory: /var/opt/tivoli/ep/runtime/agent/config.tmp/14345940a92-7e26a
Dec 30 17:22:09 [hostname] NSM_AIX_AUDIT: FILE_Unlink [root_user] OK Mon Dec 30 17:22:06 2013 compress Global filename /audit/tempfile.44302426
Dec 30 17:25:00 [hostname] NSM_AIX_AUDIT: FS_Mkdir [oracle_user] FAIL Mon Dec 30 17:25:00 2013 sqlplus Global mode: 755 dir: /home/oracle/oradiag_oracle
Dec 30 17:32:06 [hostname] NSM_AIX_AUDIT: FILE_Rename [root_user] OK Mon Dec 30 17:32:06 2013 java Global frompath: /var/opt/tivoli/ep/runtime/agent/config.tmp/14345a2b221-7e28a/change/endpoint.properties topath: /var/opt/tivoli/ep/runtime/agent/config/endpoint.properties
Dec 30 17:32:06 [hostname] NSM_AIX_AUDIT: FS_Mkdir [root_user] OK Mon Dec 30 17:32:06 2013 java Global mode: 711 dir: /var/opt/tivoli/ep/runtime/agent/config.tmp/14345a2b221-7e28a/delete
Dec 30 17:35:00 [hostname] NSM_AIX_AUDIT: FILE_Link [oracle_user] OK Mon Dec 30 17:35:00 2013 sh Global linkname /tmp/sh40698248.1 filename /tmp/sh40698248.4
Dec 30 17:31:43 [hostname] NSM_AIX_AUDIT: FILE_Unlink [root_user] FAIL Mon Dec 30 17:31:43 2013 sendmail Global filename ./xfrBUMVhHg16842996
Thank you in advance!