To collect syslog audit events from your IBM® AIX® Audit
device, redirect your audit log output from your IBM AIX device
to the IBM
QRadar Console
or Event Collector.
About this task
On an IBM AIX appliance, you can enable or
disable classes in the audit configuration. The IBM AIX default
classes capture a large volume of audit events. To prevent performance
issues, you can tune your IBM AIX appliance
to reduce the number of classes that are collected.
For more information about audit classes, see your IBM AIX appliance
documentation.
Procedure
- Log in to your IBM AIX appliance.
- Open the audit configuration file:
/etc/security/audit/config
- Edit the Start section to disable the binmode element
and enable the streammode element:
binmode = off
streammode = on
- Edit the Classes section to specify which classes to audit.
- Save the configuration changes.
- Open the streamcmds file:
/etc/security/audit/streamcmds
- Add the following line to the file:
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |awk -u 'NR%2{printf "%s ",$0;next}{print;}' | /usr/bin/logger -p local0.debug -r &
- Save the configuration changes.
- Edit the syslog configuration file to specify a debug entry
and the IP address of the QRadar
Console or Event Collector:
*.debug @ip_address
Tip: A tab must separate *.debug from
the IP address.
- Save the configuration changes.
- Reload your syslog configuration:
- Start the audit script on your IBM AIX appliance:
What to do next
The IBM AIX Audit DSM automatically discovers syslog
audit events that are forwarded from IBM AIX to QRadar and
creates a log source. If the events are not automatically
discovered, you can manually configure a log source.