Topic
No replies
D3al
D3al
1 Post
ACCEPTED ANSWER

Pinned topic Understanding logs & security threats

‏2013-12-30T22:40:42Z |

Greetings,

Im part of the security team in a company and we have the administration and management and reporting of a SIEM solution.

The SIEM collects a huge amount of logs coming from our AIX platform, categorises, prioritises and classifies it.

Mounted on AIX there is our Oracle Core DB.

The SIEM collects almost 24,000 logs (each day)  from AIX with a "medium priority" SIEM classification, wich means that we need to investigate what & why these events are registered.

The main purpose is to identify security threats, but with the raw logs we cant fully understand this. Can you help me identifying wich of this are normal behaviours and wich not?

The EventID that the SIEM collect are (with example):

aix_audit-ok-fs_rmdir

Dec 30 17:16:07 [hostname] NSM_AIX_AUDIT: FS_Rmdir [root_user] OK Mon Dec 30 17:16:06 2013 java Global remove of directory: /var/opt/tivoli/ep/runtime/agent/config.tmp/14345940a92-7e26a

aix_audit-ok-file_unlink

Dec 30 17:22:09 [hostname] NSM_AIX_AUDIT: FILE_Unlink [root_user] OK Mon Dec 30 17:22:06 2013 compress Global filename /audit/tempfile.44302426

aix_audit-fail-fs

Dec 30 17:25:00 [hostname] NSM_AIX_AUDIT: FS_Mkdir [oracle_user] FAIL Mon Dec 30 17:25:00 2013 sqlplus Global mode: 755 dir: /home/oracle/oradiag_oracle

aix_audit-ok-file_rename

Dec 30 17:32:06 [hostname] NSM_AIX_AUDIT: FILE_Rename [root_user] OK Mon Dec 30 17:32:06 2013 java Global frompath: /var/opt/tivoli/ep/runtime/agent/config.tmp/14345a2b221-7e28a/change/endpoint.properties topath: /var/opt/tivoli/ep/runtime/agent/config/endpoint.properties

aix_audit-ok-fs_mkdir

Dec 30 17:32:06 [hostname] NSM_AIX_AUDIT: FS_Mkdir [root_user] OK Mon Dec 30 17:32:06 2013 java Global mode: 711 dir: /var/opt/tivoli/ep/runtime/agent/config.tmp/14345a2b221-7e28a/delete

aix_audit-ok-file_link

Dec 30 17:35:00 [hostname] NSM_AIX_AUDIT: FILE_Link [oracle_user] OK Mon Dec 30 17:35:00 2013 sh Global linkname /tmp/sh40698248.1 filename /tmp/sh40698248.4

aix_audit-fail-file_unlink

Dec 30 17:31:43 [hostname] NSM_AIX_AUDIT: FILE_Unlink [root_user] FAIL Mon Dec 30 17:31:43 2013 sendmail Global filename ./xfrBUMVhHg16842996

Thank you in advance!