[LEFT]Hi All
I need your help to configure Aix to send logs to Qradar, I did all the methods that mentioned in IBM website and no use, Plz Help,,
The Logs should I receive from Aix and display in Qradar is (create user delete user changing in privileges....etc )
my skype account
khaled_ly84
regards [/LEFT]
gull04
December 5, 2018, 5:02am
2
Hi,
Can you post the output of;
cat /etc/security/audit/streamcmds
cat /etc/security/audit/config
Or check that binmode=off
and streammode=on
as these are requirements.
Also what if any messages do you get when you run refresh -s syslogd
and audit start
Regards
Gull04
Output
cat /etc/security/audit/streamcmds
/usr/sbin/auditstream | auditpr -v > /audit/stream.out&
/usr/sbin/auditstream | auditpr -h eclrRdi | /usr/bin/logger -p local0.debug&
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r &
output
cat /etc/security/audit/config
start:
binmode = off
streammode = on
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off
# refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.
# audit start
** auditing enabled already
Invalid argument
#
please if u have a good background about this topic let's have a skybe call
gull04
December 6, 2018, 7:04am
4
Hi,
I think that you need to set the count to your logger command or remove the count switch.
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r &
Should read;
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug &
or
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r nn &
Where nn is an integer from 1 to 1000.
Hope that this helps.
Regards
Gull04
Thanks alot I will try this then I will revert u back