Log Types: IrixSAT
Overview
Irix is a discontinued operating system developed by Silicon Graphics (SGI) to run on the company's proprietary MIPS workstations and servers. It is a variety of UNIX System V with BSD extensions.
Collection
The open source Snare for IRIX agent is capable of collecting and forwarding IRIX eventlog data to the Snare Central server.
Sample Events
sat_ae_identity,Success TIME=(01/17/2005,16:08:04) SYSCALL=syssgi(SGI_SATWRITE) SATID=root COMMAND=cron CWD=/var/spool/cron/atjobs DEVICE=-1,-1 PARENT_PID=586 PID=1655 UGID=root,sys UGID=root,sys CAP_SET=(all= CAP_SETGID+pi CAP_SETUID+pi CAP_MAC_READ+pi CAP_MAC_RELABEL_SUBJ+pi CAP_AUDIT_CONTROL+pi CAP_AUDIT_WRITE+pi CAP_MAC_MLD+pi CAP_MAC_RELABEL_OPEN+pi) TEXT=CRON|+|root|New Session PRIVILEGE=*/capability=CAP_AUDIT_WRITE
sat_exec,Success TIME=(07/13/2004,12:47:15) SYSCALL=exece SATID= root COMMAND=mail CWD=/usr/root DEVICE=15,1 PARENT_PID=1507 PID=1509 UGID=root,mail UGID=root,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all=) UGID=root,mail CAP_SET=(all=) PATHNAME=/bin/mail OBJECT=BEGIN LOOKUP=/bin/@usr//bin//mail FILE=20971839,0,76 UGID=root,mail MODE=rwxr-xr-x OBJECT=END CAP_SET=(all=) UGID=root,sys UGID=root,sys PATHNAME=/usr/lib32/libc.so.1 OBJECT=BEGIN LOOKUP=/usr//lib32//libc.so.1/@..//..//lib32//libc.so.1 FILE=29809175,0,76 UGID=root,sys MODE=r-xr-xr-x OBJECT=END.
sat_exec,Success,extra,data TIME=(07/13/2004,12:47:15) SYSCALL=exece SATID= root COMMAND=mail CWD=/usr/root DEVICE=15,1 PARENT_PID=1507 PID=1509 UGID=root,mail UGID=root,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all=) UGID=root,mail CAP_SET=(all=) PATHNAME=/bin/mail OBJECT=BEGIN LOOKUP=/bin/@usr//bin//mail FILE=20971839,0,76 UGID=root,mail MODE=rwxr-xr-x OBJECT=END CAP_SET=(all=) UGID=root,sys UGID=root,sys PATHNAME=/usr/lib32/libc.so.1 OBJECT=BEGIN LOOKUP=/usr//lib32//libc.so.1/@..//..//lib32//libc.so.1 FILE=29809175,0,76 UGID=root,sys MODE=r-xr-xr-x OBJECT=END.
sat_ae_identity,Success TIME=(01/17/2005,16:12:47) SYSCALL=syssgi(SGI_SATWRITE) SATID=csirico COMMAND=su CWD=/usr/people/csirico DEVICE=15,2 PARENT_PID=1902 PID=1945 UGID=root,sys UGID=csirico,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all= CAP_DAC_WRITE+p CAP_DAC_READ_SEARCH+p CAP_SETPCAP+p CAP_SETGID+p CAP_SETUID+p CAP_MAC_READ+p CAP_MAC_RELABEL_SUBJ+p CAP_MAC_WRITE+p CAP_AUDIT_WRITE+ep CAP_MAC_MLD+p CAP_PRIV_PORT+p) TEXT=SU|+|csirico|su to user root succeeded PRIVILEGE=+/capability=CAP_AUDIT_WRITE
sat_ae_identity,Failure,(Operation not permitted) TIME=(01/17/2005,16:11:57) SYSCALL=syssgi(SGI_SATWRITE) SATID=root COMMAND=xdm DEVICE=-1,-1 PARENT_PID=886 PID=1827 UGID=root,sys UGID=root,sys CAP_SET=(all=) TEXT=XDM|-|root|Excessive login attempts by the same user PRIVILEGE=*/capability=CAP_AUDIT_WRITE
sat_ae_identity,Failure,(Operation not permitted) TIME=(01/17/2005,16:12:42) SYSCALL=syssgi(SGI_SATWRITE) SATID=csirico COMMAND=su CWD=/usr/people/csirico DEVICE=15,2 PARENT_PID=1902 PID=1943 UGID=root,user UGID=csirico,user GID_LIST=user CAP_SET=(all= CAP_DAC_WRITE+p CAP_DAC_READ_SEARCH+p CAP_SETPCAP+p CAP_SETGID+p CAP_SETUID+p CAP_MAC_READ+p CAP_MAC_RELABEL_SUBJ+p CAP_MAC_WRITE+p CAP_AUDIT_WRITE+ep CAP_MAC_MLD+p CAP_PRIV_PORT+p) TEXT=SU|-|csirico|Incorrect password for user root PRIVILEGE=+/capability=CAP_AUDIT_WRITE
sat_exec,Success TIME=(07/13/2004,12:47:15) SYSCALL=exece SATID= root COMMAND=mail CWD=/usr/root DEVICE=15,1 PARENT_PID=1507 PID=1509 UGID=root,mail UGID=root,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all=) UGID=root,mail CAP_SET=(all=) PATHNAME=mail OBJECT=BEGIN LOOKUP=/bin/@usr//bin//mail FILE=20971839,0,76 UGID=root,mail MODE=rwxr-xr-x OBJECT=END CAP_SET=(all=) UGID=root,sys UGID=root,sys PATHNAME=libc.so.1 OBJECT=BEGIN LOOKUP=/usr//lib32//libc.so.1/@..//..//lib32//libc.so.1 FILE=29809175,0,76 UGID=root,sys MODE=r-xr-xr-x OBJECT=END.
sat_exec,Success TIME=(07/13/2004,12:47:15) SYSCALL=exece SATID= root COMMAND=mail CWD=. DEVICE=15,1 PARENT_PID=1507 PID=1509 UGID=root,mail UGID=root,sys GID_LIST=sys,daemon,bin,adm,mail CAP_SET=(all=) UGID=root,mail CAP_SET=(all=) PATHNAME=mail OBJECT=BEGIN LOOKUP=/bin/@usr//bin//mail FILE=20971839,0,76 UGID=root,mail MODE=rwxr-xr-x OBJECT=END CAP_SET=(all=) UGID=root,sys UGID=root,sys PATHNAME=libc.so.1 OBJECT=BEGIN LOOKUP=/usr//lib32//libc.so.1/@..//..//lib32//libc.so.1 FILE=29809175,0,76 UGID=root,sys MODE=r-xr-xr-x OBJECT=END.
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | IrixSAT |
EVENTID | The id of event - eg: sat_ae_identity, sat_exec |
EVENTTYPE | Â |
COMMAND | The command that generated this event (eg: mail, su) |
AUID | Audit UID |
EUID | Effective UID |
EGID | Effective GID |
TARGET | For some events (eg: file related events) the target file may be pulled out of the event and included here. |
RETURNCODE | Â |
EVENTCOUNT | Â |
STRINGS | Any content that does not fit into one of the other explicitly defined fields |
Notes
-