Configuring IBM AIX Audit DSM to send syslog events to QRadar

To collect syslog audit events from your IBM® AIX® Audit device, redirect your audit log output from your IBM AIX device to the IBM QRadar Console or Event Collector.

About this task

On an IBM AIX appliance, you can enable or disable classes in the audit configuration. The IBM AIX default classes capture a large volume of audit events. To prevent performance issues, you can tune your IBM AIX appliance to reduce the number of classes that are collected. For more information about audit classes, see your IBM AIX appliance documentation.

Procedure

  1. Log in to your IBM AIX appliance.
  2. Open the audit configuration file:

    /etc/security/audit/config

  3. Edit the Start section to disable the binmode element and enable the streammode element:
    binmode = off
    streammode = on
  4. Edit the Classes section to specify which classes to audit.
  5. Save the configuration changes.
  6. Open the streamcmds file:

    /etc/security/audit/streamcmds

  7. Add the following line to the file:
    /usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |awk -u 'NR%2{printf "%s ",$0;next}{print;}' | /usr/bin/logger -p local0.debug -r &
  8. Save the configuration changes.
  9. Edit the syslog configuration file to specify a debug entry and the IP address of the QRadar Console or Event Collector:

    *.debug @ip_address

    Tip: A tab must separate *.debug from the IP address.
  10. Save the configuration changes.
  11. Reload your syslog configuration:

    refresh -s syslogd

  12. Start the audit script on your IBM AIX appliance:

    audit start

What to do next

The IBM AIX Audit DSM automatically discovers syslog audit events that are forwarded from IBM AIX to QRadar and creates a log source. If the events are not automatically discovered, you can manually configure a log source.