IBM AIX Audit DSM overview
The IBM® AIX® Audit DSM collects detailed audit information for events that occur on your IBM AIX appliance.
The following table identifies the specifications for the IBM AIX Audit
DSM:
Specification | Value |
---|---|
Manufacturer | IBM |
DSM names | IBM AIX Audit |
RPM file names | DSM-IBMAIXAudit-QRadar_version-build_number.noarch.rpm |
Supported versions | V6.1 and V7.1 |
Protocol type | Syslog Log File Protocol |
QRadar recorded event types | Audit events |
Automatically discovered? | Yes |
Includes identity? | No |
More information | IBM website (http://www.ibm.com/) |
To integrate IBM
AIX Audit events with QRadar, complete the following steps:
- Download the latest version of the IBM AIX Audit DSM from the IBM Support Website.
- For syslog events, complete the following steps:
- Configure your IBM AIX Audit device to send syslog events to QRadar. See Configuring IBM AIX Audit DSM to send syslog events to QRadar.
- If QRadar does not
automatically discover the log source, add an IBM
AIX Audit log source. Use the following IBM
AIX Audit-specific values in the log source
configuration:
Parameter Value Log Source Type IBM AIX Audit Protocol Configuration Syslog
- For log file protocol events, complete the following steps:
- Configure your IBM AIX Audit device to convert audit logs to the log file protocol format.
- Configure a log file protocol-based log source for your IBM
AIX Audit device. Use the following protocol-specific values
in the log source configuration:
Parameter Value Log Source Type IBM AIX Audit Protocol Configuration Log File Service Type The protocol to retrieve log files from a remote server. Important: If you select the SCP and SFTP service type, ensure that the server that is specified in the Remote IP or Hostname parameter has the SFTP subsystem enabled.Remote Port If the host for your event files uses a non-standard port number for FTP, SFTP, or SCP, adjust the port value. SSH Key File If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file. When you provide an SSH Key File, the Remote Password parameter is ignored. Remote Directory The directory location on the remote host where the files are retrieved. Specify the location relative to the user account you are using to log in. Restriction: For FTP only. If your log files are in a remote user home directory, leave the remote directory blank to support operating systems where a change in the working directory (CWD) command is restricted.FTP File Pattern The FTP file pattern must match the name that you assigned to your AIX audit files with the -n parameter in the audit script. For example, to collect files that start with AIX_AUDIT and end with your time stamp value, type AIX_Audit_*. FTP Transfer Mode ASCII is required for text event logs that are retrieved by the log file protocol by using FTP. Processor NONE Change Local Directory? Leave this check box clear. Event Generator LineByLine The Event Generator applies more processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created.