Configuring your IBM AIX Server device to send syslog events to QRadar

To collect syslog audit events from your IBM® AIX® Server device, redirect your audit log output from your IBM AIX device to the IBM QRadar Console or Event Collector.

Procedure

  1. Log in to your IBM AIX appliance as a root user.
  2. Open the /etc/syslog.conf file.
  3. To forward the system authentication logs to QRadar®, add the following line to the file:

    auth.info @QRadar_IP_address

    A tab must separate auth.info and the IP address of QRadar.

    For example:
    ##### begin /etc/syslog.conf mail.debug /var/adm/maillogmail.none /var/adm/maillogauth.notice /var/adm/authloglpr.debug /var/adm/lpd-errskern.debug /var/adm/messages*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messagesauth.info            @<IP_address>##### end /etc/syslog.conf
  4. Save and exit the file.
  5. Restart the syslog service:

    refresh -s syslogd