Log Types: AIXAudit
- Leigh Purdie (Unlicensed)
Overview
AIX (Advanced Interactive eXecutive) is a series of proprietary Unix operating systems developed and sold by IBM for several of its computer platforms. AIX provides a reasonably comprehensive logging subsystem that can monitor a range of system calls, and authentication functions.
AIX logs can be forwarded to Snare Central by the open source Snare for AIX agent, and will be received on port 6161 TCP or UDP, or the TLS receiver on port 6163.
Sample Events
lpar20_pub AIXAudit 4 1 Thu Dec 02 19:40:32 2004 FILE_Open snarecore root 20000190 30468 1 OK flags: 0 mode: 0 fd: 4 filename /etc/resolv.conflpar20_pub AIXAudit 3 11 Thu Dec 02 19:40:32 2004 PROC_Execute tail root 20000190 28152 22930 OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name /usr/bin/taillpar20_pub AIXAudit 4 10 Thu Dec 02 19:40:32 2004 USER_Login sshd root root 30018 18836 OK user: 20000190 tty: sshlpar20_pub AIXAudit 4 8 Thu Dec 02 19:40:32 2004 USER_SU su root 20000190 31486 28322 OK root
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | AIXAudit |
EVENTID | The AIX event. Examples include USER_SU, PROC_Execute, FILE_Open, |
EVENTCOUNT | An internal counter of the generated event. Incremented by one each time an event is generated. |
RUID | Real UID - the UID associated with the user at login |
EUID | Effective UID - the UID under which the current executable is running |
PROCESS | The process name associated with this event |
PID | Process ID |
PPID | Parent Process ID |
RETURNCODE | Returncode of the executed command or system call |
STRINGS | Any extra content sent by the agent, delimited by four spaces. |
TARGET | For some events, the target (such as a filename, or process) associated with the event - may be included within the STRINGS field. |