...
AIX logs can be forwarded to Snare Central by the open source Snare for AIX agent, and will be received on port 6161 TCP or UDP, or the TLS receiver on port 6163.
Sample Events
lpar20_pub AIXAudit 4 1 Thu Dec 02 19:40:32 2004 FILE_Open snarecore root 20000190 30468 1 OK flags: 0 mode: 0 fd: 4 filename /etc/resolv.conflpar20_pub AIXAudit 3 11 Thu Dec 02 19:40:32 2004 PROC_Execute tail root 20000190 28152 22930 OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name /usr/bin/taillpar20_pub AIXAudit 4 10 Thu Dec 02 19:40:32 2004 USER_Login sshd root root 30018 18836 OK user: 20000190 tty: sshlpar20_pub AIXAudit 4 8 Thu Dec 02 19:40:32 2004 USER_SU su root 20000190 31486 28322 OK root
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | AIXAudit |
EVENTID | The AIX event. Examples include USER_SU, PROC_Execute, FILE_Open, |
EVENTCOUNTAIX Event count | An internal counter of the generated event. Incremented by one each time an event is generated. |
RUID | Real UID - the UID associated with the user at login |
EUID | Effective UID - the UID under which the current executable is running |
PROCESS | The process name associated with this event |
PID | Process ID |
PPID | Parent Process ID |
RETURNCODE | Returncode - eg: OKof the executed command or system call |
STRINGS | Any extra content sent by the agent, delimited by four spaces. |
TARGET | For some events, the target (such as a filename, or process) associated with the event - may be included within the STRINGS field. |