Visitors: 19788009

Latest Articles


Stream AIX AUDIT into SYSLOG PDF Print E-mail
User Rating: / 2
Written by Michael Felt   

Howto Stream AIX AUDIT into SYSLOG

I am frequently asked “How can I get audit output into syslog?” and I answered it once on my SecuringAIX blog in February 2013 . However, the formatting there is not really what I would like it to be, so I am doing it again here!

This is a quick explanation of how to get audit events to stream into syslog. The emphasis is on quick. Your questions, improvements, or other feedback via the forums is appreciated?

1) Choose a syslog stream that you are going to use. In the screenshots I am using local1, but you may want a different one. As you can see from the examples it is simple to setup, so it is also simple to change to a different number. FYI local4 is used by ipsec filter logging. And onc chosen, add the log entry into /etc/syslog.conf so that it looks something like this:

Do not forget to make sure the file exists before you refresh the syslogd.

2) Next you will need to verify/edit /etc/security/audit/config to activate stream mode and point it at a better script for processing stream events. Below is an output from egrep showing the changes to config and the contents of streams.001

I created the class syslog to make it more clear why these events were being used. You could choose to use the general class instead (actually, I just copied the general class and renamed the copy syslog for the example. There is no special consideration given to the events for the class. I ony want to show how to send a class of events using audit stream into syslog. In other words, YOU will still need to consider what events and conditions you want.

As pictures are not cut/pasteable here is the contents of /etc/security/audit/streams.001

# cat /etc/security/audit/streams.001
/usr/sbin/auditstream -m -c syslog | tee -a /audit/syslog.bin | auditselect -e "result==FAIL && command!=java" |
auditpr -v | logger -p local1.warn -t audit &
/usr/sbin/auditstream -m -c myobjs | tee -a /audit/myobjs.bin | auditpr -v | logger -p local1.warn -t audit &

Note that you cannot (easily) use \| at the end of the line to keep the layout pretty. In other words, each command (max number is around 30) needs to be on it's own line, and end it with an ampersand (&) so that it runs in the background.

3) activate audit.

# audit start

And then using the commands ps and proctree you can see how the stream commands are setup to run..

I hope this helps with using AIX audit more effectively!

I found this IBM technote that describes something similiar as above - however they also say this: " This configuration is NOT RECOMMENDED, however, it has been known to work on some servers."

See the technote here !

< Prev   Next >

Legacy PDFs

AIX 5.2
AIX 5.1