IBM AIX Audit DSM overview

The IBM® AIX® Audit DSM collects detailed audit information for events that occur on your IBM AIX appliance.

The following table identifies the specifications for the IBM AIX Audit DSM:
Table 1. IBM AIX Audit DSM specifications
Specification Value
Manufacturer IBM
DSM names IBM AIX Audit
RPM file names DSM-IBMAIXAudit-QRadar_version-build_number.noarch.rpm
Supported versions V6.1 and V7.1
Protocol type

Syslog

Log File Protocol

QRadar recorded event types Audit events
Automatically discovered? Yes
Includes identity? No
More information IBM website (http://www.ibm.com/)
To integrate IBM AIX Audit events with QRadar, complete the following steps:
  1. Download the latest version of the IBM AIX Audit DSM from the IBM Support Website.
  2. For syslog events, complete the following steps:
    1. Configure your IBM AIX Audit device to send syslog events to QRadar. See Configuring IBM AIX Audit DSM to send syslog events to QRadar.
    2. If QRadar does not automatically discover the log source, add an IBM AIX Audit log source. Use the following IBM AIX Audit-specific values in the log source configuration:
      Parameter Value
      Log Source Type IBM AIX Audit
      Protocol Configuration Syslog
  3. For log file protocol events, complete the following steps:
    1. Configure your IBM AIX Audit device to convert audit logs to the log file protocol format.
    2. Configure a log file protocol-based log source for your IBM AIX Audit device. Use the following protocol-specific values in the log source configuration:
      Parameter Value
      Log Source Type IBM AIX Audit
      Protocol Configuration Log File
      Service Type The protocol to retrieve log files from a remote server.
      Important: If you select the SCP and SFTP service type, ensure that the server that is specified in the Remote IP or Hostname parameter has the SFTP subsystem enabled.
      Remote Port If the host for your event files uses a non-standard port number for FTP, SFTP, or SCP, adjust the port value.
      SSH Key File If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file. When you provide an SSH Key File, the Remote Password parameter is ignored.
      Remote Directory The directory location on the remote host where the files are retrieved. Specify the location relative to the user account you are using to log in.
      Restriction: For FTP only. If your log files are in a remote user home directory, leave the remote directory blank to support operating systems where a change in the working directory (CWD) command is restricted.
      FTP File Pattern The FTP file pattern must match the name that you assigned to your AIX audit files with the -n parameter in the audit script. For example, to collect files that start with AIX_AUDIT and end with your time stamp value, type AIX_Audit_*.
      FTP Transfer Mode ASCII is required for text event logs that are retrieved by the log file protocol by using FTP.
      Processor NONE
      Change Local Directory? Leave this check box clear.
      Event Generator LineByLine

      The Event Generator applies more processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created.