Configuring IBM AIX Audit DSM to send log file protocol events to QRadar

Configure the audit.pl script to run each time that you want to convert your IBM® AIX® audit logs to a readable event log format for QRadar.

Before you begin

Ensure that Perl 5.8 or later is installed on your IBM AIX computer.

About this task

To send log file protocol events from IBM AIX to QRadar, you must edit these files:
Audit configuration file
The audit configuration file identifies the event classes that are audited and the location of the event log file on your IBM AIX appliance. The IBM AIX default classes capture many audit events. To prevent performance issues, you can configure the classes in the audit configuration file. For more information about configuring audit classes, see your IBM AIX documentation.
Audit script
The audit script uses the audit configuration file to identify which audit logs to read and converts the binary logs to single-line events that QRadar® can read. The log file protocol can then retrieve the event log from your IBM AIX appliance and import the events to QRadar. The audit script uses the audit.pr file to convert the binary audit records to event log files QRadar can read.

Run the audit script each time that you want to convert your audit records to readable events. You can use a cron job to automate this process. for example, you can add 0 * * * * /audit.pl to allow the audit script to run hourly. For more information, see your system documentation.

Procedure

  1. Log in to your IBM AIX appliance.
  2. Configure the audit configuration file:
    1. Open the audit configuration file:

      etc/security/audit/config

    2. Edit the Start section to enable the binmode element.
      binmode = on
    3. In the Start section, edit the configuration to determine which directories contain the binary audit logs.
      The default configuration for IBM AIX auditing writes binary logs to the following directories:
      trail = /audit/trail
      bin1 = /audit/bin1
      bin2 = /audit/bin2
      binsize = 10240
      cmds = /etc/security/audit/bincmds

      In most cases, you do not have to edit the binary file in the bin1 and bin2 directories.

    4. In the Classes section, edit the configuration to determine which classes are audited. For information on configuring classes, see your IBM AIX documentation.
    5. Save the configuration changes.
  3. Audit on your IBM AIX system:

    audit start

  4. Install the audit script:
    1. From IBM Fix Central (https://www.ibm.com/support/fixcentral/), search for the audit.pl.gz and select the download that corresponds to your version of QRadar.
    2. Download the audit.pl.gz file.
    3. Copy the audit script to a folder on your IBM AIX appliance.
    4. Extract the file:

      tar -zxvf audit.pl.gz

    5. Start the audit script:

      ./audit.pl

      You can add the following parameters to modify the command:
      Parameter Description
      -r Defines the results directory where the audit script writes event log files for QRadar.

      If you do not specify a results directory, the script writes the events to the following /audit/results/ directory. The results directory is used in the Remote Directory parameter in the log source configuration uses this value. To prevent errors, verify that the results directory exists on your IBM AIX system.

      -n Defines a unique name for the event log file that is generated by audit script. The FTP File Pattern parameter in the log source configuration uses this name to identify the event logs that the log source must retrieve in QRadar
      -l Defines the name of the last record file.
      -m Defines the maximum number of audit files to retain on your IBM AIX system. By default, the script retains 30 audit files. When the number of audit files exceeds the value of the -m parameter, the script deletes the audit file with the oldest time stamp.
      -t Defines the directory that contains the audit trail file. The default directory is /audit/trail.

What to do next

The IBM AIX Audit DSM automatically discovers log file protocol audit events that are forwarded from IBM AIX to QRadar and creates a log source. If the events are not automatically discovered, you can manually configure a log source.