Just qsome quick notes you might find interesting:
We had lots of content build on the way that ArcSight AIX SmartConnector was parsing.
The provided parser above works, but mostly puts everything in additionnal data fields.
So if you dont care about backward compatibility, this is great.
What nice about this parser is that is supports EVERY auditpr verbs (452) where ArcSight AIX parser only supported 228 of them (last march at least).
I ended up using a modified flex. comprising of the 228 verbs of ArcSight AIX parser + the missing ones supported above + adjusment for the AIX non-standard format.
And to support the MESSAGE FORWARDED FROM, we had to send evey AIX log to rsyslog, which has the pmaixforwardedfrom parsing module which reformats the message as normal rfc3164 before sending it to our newly build flex.
If you use the perljoiner script AND use stock syslogd on AIX, make sure you encapsulate within an eval() the call to syslog.
If you shutdown syslogd, the perljoiner script will crash and you will need to restart auditpr as well.
A sleep of a few seconds (20-30) in that case greatly helps.
I plan to eventually document the setup required but currently missing the time to do so.
Best of luck,
Do you have the feature request # for getting AIX added to the standard syslog connector?
I would like to add my voice to the list of customers wanting this ability.
It looks like, that this flex cannot be downloaded. If I click to download file flexagent.zip, error message appear:
An general error occurred while processing your request.
I am on vacation, checking my mail at random.
I can post it again in a few days.
Poke me next tuesday if I forgot.
Plus I saw that a smart can now eliminate the aix syslogd header without going to rsyslog first.
Hi to all.
If anyone interested there is slightly different approach.
I use aix syslog daemon to forward audit logs to the linux server (rsyslogd or whatever), to the specific file.
And then I parse that file by the flexconnector.
The benefit is that I do not use any additional self-developed components like perl/sh/python scripts etc.
Only standard means: aix system utils, syslog and flexconnector functionality.
Scripting is always great but if I can avoid it without loss - I try to avoid it.
I couldn't come up with anything better than a parser chain (main flex + extraprocessor).
1. aixaudit.sdkrfilereader parses messages from aix (which we forward to the file) and looks for ssh authentications (submessage0) and audit messages (submessage1). Audit messages go in 2 lines with definite format so I can use multiline parsing.
Sshd messages are single line so we need parameter multiline.singleline.nowaiting=True.
2. the whole audit message is turned into the string <audit class>=<message>, where audit class is AIX audit type (PROC_Create, TCPIP_config etc) and message is an audit string (something like 'audit object read event detected /etc/security/passwd').
3. that string is stored in the field flexString1 and flexString1 is parsed by the extraprocessor aixaudmsg.sdkrfilereader.
4. aixaudmsg.sdkrfilereader tries to parse all aix audit types. Big thanks to for the great job of turning aix audit documentation into the submessages. Saved a couple of hours for me .
I've tuned submessages a little for my customer: corrected some regular expressions which were originally wrong in the aix documentation and mapped useful messages to the main arcsight event schema instead of additional data.
Also I've come up with the categorization file, but It's a bit subjective. Though I believe it's a good start anyway.
Configs are attached:
aixaudit.sdkrfilereader.properties, aixaudmsg.sdkrfilereader.properties and aix.csv (goes into acp/categorizer/current/ibm).
Five month in work - so far so good.
I just have a query on AIX audit logs. I have forwarded my AIX audit logs to syslog and logs are passing from connector to Arcmc and even logs are stored in logger as well. In logger and Arcmc we see AIX events cuts in two lines and it looks like parsing is not being properly mapped. Can you please help me what can be an exact issue?