Log Types: IrixSAT

Overview

Irix is a discontinued operating system developed by Silicon Graphics (SGI) to run on the company's proprietary MIPS workstations and servers. It is a variety of UNIX System V with BSD extensions.

Collection

The open source Snare for IRIX agent is capable of collecting and forwarding IRIX eventlog data to the Snare Central server.

Sample Events

sat_ae_identity,Success TIME=(01/17/2005,16:08:04) SYSCALL=syssgi(SGI_SATWRITE) SATID=root COMMAND=cron CWD=/var/spool/cron/atjobs DEVICE=-1,-1 PARENT_PID=586 PID=1655 UGID=root,sys UGID=root,sys CAP_SET=(all= CAP_SETGID+pi CAP_SETUID+pi CAP_MAC_READ+pi CAP_MAC_RELABEL_SUBJ+pi CAP_AUDIT_CONTROL+pi CAP_AUDIT_WRITE+pi CAP_MAC_MLD+pi CAP_MAC_RELABEL_OPEN+pi) TEXT=CRON|+|root|New Session PRIVILEGE=*/capability=CAP_AUDIT_WRITE
sat_exec,Success TIME=(07/13/2004,12:47:15) SYSCALL=exece SATID= root COMMAND=mail CWD=/usr/root DEVICE=15,1 PARENT_PID=1507 PID=1509 UGID=root,mail UGID=root,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all=) UGID=root,mail CAP_SET=(all=) PATHNAME=/bin/mail OBJECT=BEGIN LOOKUP=/bin/@usr//bin//mail FILE=20971839,0,76 UGID=root,mail MODE=rwxr-xr-x OBJECT=END CAP_SET=(all=) UGID=root,sys UGID=root,sys PATHNAME=/usr/lib32/libc.so.1 OBJECT=BEGIN LOOKUP=/usr//lib32//libc.so.1/@..//..//lib32//libc.so.1 FILE=29809175,0,76 UGID=root,sys MODE=r-xr-xr-x OBJECT=END.
sat_exec,Success,extra,data TIME=(07/13/2004,12:47:15) SYSCALL=exece SATID= root COMMAND=mail CWD=/usr/root DEVICE=15,1 PARENT_PID=1507 PID=1509 UGID=root,mail UGID=root,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all=) UGID=root,mail CAP_SET=(all=) PATHNAME=/bin/mail OBJECT=BEGIN LOOKUP=/bin/@usr//bin//mail FILE=20971839,0,76 UGID=root,mail MODE=rwxr-xr-x OBJECT=END CAP_SET=(all=) UGID=root,sys UGID=root,sys PATHNAME=/usr/lib32/libc.so.1 OBJECT=BEGIN LOOKUP=/usr//lib32//libc.so.1/@..//..//lib32//libc.so.1 FILE=29809175,0,76 UGID=root,sys MODE=r-xr-xr-x OBJECT=END.
sat_ae_identity,Success TIME=(01/17/2005,16:12:47) SYSCALL=syssgi(SGI_SATWRITE) SATID=csirico COMMAND=su CWD=/usr/people/csirico DEVICE=15,2 PARENT_PID=1902 PID=1945 UGID=root,sys UGID=csirico,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all= CAP_DAC_WRITE+p CAP_DAC_READ_SEARCH+p CAP_SETPCAP+p CAP_SETGID+p CAP_SETUID+p CAP_MAC_READ+p CAP_MAC_RELABEL_SUBJ+p CAP_MAC_WRITE+p CAP_AUDIT_WRITE+ep CAP_MAC_MLD+p CAP_PRIV_PORT+p) TEXT=SU|+|csirico|su to user root succeeded PRIVILEGE=+/capability=CAP_AUDIT_WRITE
sat_ae_identity,Failure,(Operation not permitted) TIME=(01/17/2005,16:11:57) SYSCALL=syssgi(SGI_SATWRITE) SATID=root COMMAND=xdm DEVICE=-1,-1 PARENT_PID=886 PID=1827 UGID=root,sys UGID=root,sys CAP_SET=(all=) TEXT=XDM|-|root|Excessive login attempts by the same user PRIVILEGE=*/capability=CAP_AUDIT_WRITE
sat_ae_identity,Failure,(Operation not permitted) TIME=(01/17/2005,16:12:42) SYSCALL=syssgi(SGI_SATWRITE) SATID=csirico COMMAND=su CWD=/usr/people/csirico DEVICE=15,2 PARENT_PID=1902 PID=1943 UGID=root,user UGID=csirico,user GID_LIST=user CAP_SET=(all= CAP_DAC_WRITE+p CAP_DAC_READ_SEARCH+p CAP_SETPCAP+p CAP_SETGID+p CAP_SETUID+p CAP_MAC_READ+p CAP_MAC_RELABEL_SUBJ+p CAP_MAC_WRITE+p CAP_AUDIT_WRITE+ep CAP_MAC_MLD+p CAP_PRIV_PORT+p) TEXT=SU|-|csirico|Incorrect password for user root PRIVILEGE=+/capability=CAP_AUDIT_WRITE
sat_exec,Success TIME=(07/13/2004,12:47:15) SYSCALL=exece SATID= root COMMAND=mail CWD=/usr/root DEVICE=15,1 PARENT_PID=1507 PID=1509 UGID=root,mail UGID=root,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all=) UGID=root,mail CAP_SET=(all=) PATHNAME=mail OBJECT=BEGIN LOOKUP=/bin/@usr//bin//mail FILE=20971839,0,76 UGID=root,mail MODE=rwxr-xr-x OBJECT=END CAP_SET=(all=) UGID=root,sys UGID=root,sys PATHNAME=libc.so.1 OBJECT=BEGIN LOOKUP=/usr//lib32//libc.so.1/@..//..//lib32//libc.so.1 FILE=29809175,0,76 UGID=root,sys MODE=r-xr-xr-x OBJECT=END.
sat_exec,Success TIME=(07/13/2004,12:47:15) SYSCALL=exece SATID= root COMMAND=mail CWD=. DEVICE=15,1 PARENT_PID=1507 PID=1509 UGID=root,mail UGID=root,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all=) UGID=root,mail CAP_SET=(all=) PATHNAME=mail OBJECT=BEGIN LOOKUP=/bin/@usr//bin//mail FILE=20971839,0,76 UGID=root,mail MODE=rwxr-xr-x OBJECT=END CAP_SET=(all=) UGID=root,sys UGID=root,sys PATHNAME=libc.so.1 OBJECT=BEGIN LOOKUP=/usr//lib32//libc.so.1/@..//..//lib32//libc.so.1 FILE=29809175,0,76 UGID=root,sys MODE=r-xr-xr-x OBJECT=END.

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

IrixSAT

EVENTID

The id of event - eg: sat_ae_identity, sat_exec

EVENTTYPE

 

COMMAND

The command that generated this event (eg: mail, su)

AUID

Audit UID

EUID

Effective UID

EGID

Effective GID

TARGET

For some events (eg: file related events) the target file may be pulled out of the event and included here.

RETURNCODE

 

EVENTCOUNT

 

STRINGS

Any content that does not fit into one of the other explicitly defined fields

Notes

-