Configuring IBM AIX Audit DSM to send log file protocol events to QRadar
Configure the audit.pl script to run each time that you want to convert your IBM® AIX® audit logs to a readable event log format for QRadar.
Before you begin
About this task
To send log file protocol events from IBM
AIX to QRadar, you must edit these files:
- Audit configuration file
- The audit configuration file identifies the event classes that are audited and the location of the event log file on your IBM AIX appliance. The IBM AIX default classes capture many audit events. To prevent performance issues, you can configure the classes in the audit configuration file. For more information about configuring audit classes, see your IBM AIX documentation.
- Audit script
- The audit script uses the audit configuration file to identify which audit logs to read and
converts the binary logs to single-line events that QRadar®
can read. The log file protocol can then retrieve the event log from your IBM
AIX appliance and import the events to QRadar. The audit script uses the audit.pr file to convert the binary audit
records to event log files QRadar can read.
Run the audit script each time that you want to convert your audit records to readable events. You can use a cron job to automate this process. for example, you can add 0 * * * * /audit.pl to allow the audit script to run hourly. For more information, see your system documentation.