Configure AIX server to send logs and auditing to Qradar

khaled_ly84 · December 5, 2018, 2:34am

[LEFT]Hi All

I need your help to configure Aix to send logs to Qradar, I did all the methods that mentioned in IBM website and no use, Plz Help,,
The Logs should I receive from Aix and display in Qradar is (create user delete user changing in privileges....etc )

my skype account
khaled_ly84

regards [/LEFT]

gull04 · December 5, 2018, 5:02am

Hi,

Can you post the output of;

cat /etc/security/audit/streamcmds
cat /etc/security/audit/config

Or check that binmode=off and streammode=on as these are requirements.

Also what if any messages do you get when you run refresh -s syslogd and audit start

Regards

Gull04

khaled_ly84 · December 6, 2018, 3:29am

Output

cat /etc/security/audit/streamcmds

/usr/sbin/auditstream | auditpr -v > /audit/stream.out&
/usr/sbin/auditstream | auditpr -h eclrRdi | /usr/bin/logger -p local0.debug&
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r &

output

cat /etc/security/audit/config
 start:
        binmode = off
        streammode = on

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536
        backuppath = /audit
        backupsize = 0
        bincompact = off

# refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.
# audit start
** auditing enabled already
Invalid argument
#

please if u have a good background about this topic let's have a skybe call

gull04 · December 6, 2018, 7:04am

Hi,

I think that you need to set the count to your logger command or remove the count switch.

/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r &

Should read;

/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug &

or

/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r nn &

Where nn is an integer from 1 to 1000.

Hope that this helps.

Regards

Gull04

khaled_ly84 · December 7, 2018, 1:45pm

Thanks alot I will try this then I will revert u back