Documentation Center
AlienVault® USM Anywhere™

IBM AIX Audit

When you configure IBM AIX Audit device integration to send log data to USM Anywhere, you can use the IBM AIX Audit plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor IBM
Device type Operating system
Connection type syslog
Vendor link Configuring IBM AIX Audit DSM to send syslog events to QRada

Integrating IBM AIX Audit

The IBM AIX Audit DSM automatically discovers syslog audit events forwarded from IBM AIX to USM Anywhere, and creates a log source. If some events are not automatically discovered, you can manually configure a log source.

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor.

To configure AIX Audit to send log data to USM Anywhere

  1. Log into the AIX appliance.
  2. Edit the audit configuration file residing at /etc/security/audit/config, as follows.

    1. Edit the Start section to enable the STREAM mode, for example:

      streammode = on

      Note: The IBM AIX Audit plugin also works with the BIN mode enabled, so you may choose to either enable (binmode = on) or disable (binmode = off) the BIN mode in the Start section, depending on your requirements.

    2. Edit the Classes section to specify which classes to audit.

    3. Save the changes.
  3. Open /etc/security/audit/streamcmds.and add the following line of code:

    /usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r &

  4. Save the change.
  5. Edit /etc/syslog.conf to specify a debug entry and the IP address of the USM Anywhere Sensor:

    *.debug @<USM-Anywhere-Sensor-IP-Address>

    Important: A tab must separate *.debug from the IP address.

  6. Save the change.
  7. Reload the syslog configuration:

    refresh -s syslogd

  8. Start the audit script on your IBM AIX appliance:

    audit start

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • customfield_1

  • customheader_1

  • destination_username

  • destination_hostname

  • event_description

  • event_name

  • event_outcome

  • file_name

  • file_path

  • source_address

  • source_hostname

  • source_port

  • source_userid

  • source_username

  • timestamp_occured

Troubleshooting

For troubleshooting, refer to the vendor documentation: