Configure AIX server to send logs and auditing to Qradar


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Configure AIX server to send logs and auditing to Qradar

Hi All

I need your help to configure Aix to send logs to Qradar, I did all the methods that mentioned in IBM website and no use, Plz Help,,
The Logs should I receive from Aix and display in Qradar is (create user delete user changing in privileges....etc )

my skype account
khaled_ly84

regards

Last edited by Don Cragun; 12-05-2018 at 02:45 AM.. Reason: Remove tags making entire post bold.
# 2  
Hi,

Can you post the output of;

Code:
cat /etc/security/audit/streamcmds
cat /etc/security/audit/config

Or check that binmode=off and streammode=on as these are requirements.

Also what if any messages do you get when you run refresh -s syslogd and audit start

Regards

Gull04

Last edited by RudiC; 12-06-2018 at 06:15 AM..
# 3  
Output


Code:
cat /etc/security/audit/streamcmds

/usr/sbin/auditstream | auditpr -v > /audit/stream.out&
/usr/sbin/auditstream | auditpr -h eclrRdi | /usr/bin/logger -p local0.debug&
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r &

output


Code:
cat /etc/security/audit/config
 start:
        binmode = off
        streammode = on

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536
        backuppath = /audit
        backupsize = 0
        bincompact = off

# refresh -s syslogd
0513-095 The request for subsystem refresh was completed successfully.
# audit start
** auditing enabled already
Invalid argument
#

please if u have a good background about this topic let's have a skybe call




Moderator's Comments:
Mod Comment Please use CODE tags as required by forum rules!

Last edited by RudiC; 12-06-2018 at 06:18 AM.. Reason: Added CODE tags.
# 4  
Hi,

I think that you need to set the count to your logger command or remove the count switch.

Code:
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r &

Should read;

Code:
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug &

or

Code:
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e 'P;D'| /usr/bin/logger -p local0.debug -r nn &

Where nn is an integer from 1 to 1000.

Hope that this helps.

Regards

Gull04
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
User auditing from AIX server
Nagesh_1985
I am trying to find out the information of my local desktop when i use putty to login to an AIX server. This is what I do: 1. login to my PC 2. take a putty session to an AIX server Can i get information of my local desktop from the AIX server ? Is there a command available ? Thanks... AIX
8
AIX
How to send AIX logs to windows
thecobra151
good day all how to send aix syslogs to a shared folder in windows regards ,... AIX
2
AIX
Server unable to send mail-how to configure
Qwerty123
Hi All, I'm unable to send out email using mailx command in a new server. I guess the server has to be configured for this. I searched a lot and everywhere it was asked to check /etc/sendmail.cf (I don't have this file in that path.) And I don't have a folder called host or hosts in /etc...... Solaris
6
Solaris
how to configure server to send email in AIX
chongkls77
Hi, anyone can guide me how to configure server to send email in AIX. My server is in a closed network, what do I need to configure and how? SMTP gateway? mail server? Thanks and best regards Solomon... AIX
4
AIX
Configure AIX v5.1 for send mail
gio123bg
Hi, I wish to send a mail via ksh using this command: cat mailfile | mail -s "My Project." gio123bg@hel.com Is it necessary to configure some file? If yes, in which way? May you explain me all steps necessary to implement the above command? Many thanks in advance for your kind...... AIX
0
AIX