Fleet Admiral
Fleet Admiral
2334 views

AIX syslog flexconnector

Jump to solution

Hello, i develop flexconnector for aix audit event with syslog.

All the additional information listed in the additionaldata1-10. If need, you may map this field depending on EventClassId.

Configure the mapping for type 451 - no way.

Labels (2)
0 Likes
21 Replies
Vice Admiral Vice Admiral
Vice Admiral

Just qsome quick notes you might find interesting:

We had lots of content build on the way that ArcSight AIX SmartConnector was parsing.

The provided parser above works, but mostly puts everything in additionnal data fields.

So if you dont care about backward compatibility, this is great.

What nice about this parser is that is supports EVERY auditpr verbs (452) where ArcSight AIX parser only supported 228 of them (last march at least).

I ended up using a modified flex. comprising of the 228 verbs of ArcSight AIX parser + the missing ones supported above + adjusment for the AIX non-standard format.

And to support the MESSAGE FORWARDED FROM, we had to send evey AIX log to rsyslog, which has the pmaixforwardedfrom parsing module which reformats the message as normal rfc3164 before sending it to our newly build flex.

If you use the perljoiner script AND use stock syslogd on AIX, make sure you encapsulate within an eval() the call to syslog.

If you shutdown syslogd, the perljoiner script will crash and you will need to restart auditpr as well.

A sleep of a few seconds (20-30) in that case greatly helps.

I plan to eventually document the setup required but currently missing the time to do so.

Best of luck,

Dany

0 Likes
Commodore Commodore
Commodore

Steven,

Do you have the feature request # for getting AIX added to the standard syslog connector?

I would like to add my voice to the list of customers wanting this ability.

Thanks!

0 Likes

Hello,

It looks like, that this flex cannot be downloaded. If I click to download file flexagent.zip, error message appear:


Error
An general error occurred while processing your request.


Joseph



0 Likes
Vice Admiral Vice Admiral
Vice Admiral

I am on vacation, checking my mail at random.

I can post it again in a few days.

Poke me next tuesday if I forgot.

Plus I saw that a smart can now eliminate the aix syslogd header without going to rsyslog first.

0 Likes
Fleet Admiral
Fleet Admiral

If need, i may send actual version in e-mail. Write PM with you mail.

0 Likes
Fleet Admiral
Fleet Admiral

And i find error in flex. If hostaname contain "-" parser work incorrectly.

0 Likes
Absent Member.
Absent Member.

Hi to all.
If anyone interested there is slightly different approach.
I use aix syslog daemon to forward audit logs to the linux server (rsyslogd or whatever), to the specific file.
And then I parse that file by the flexconnector.

The benefit is that I do not use any additional self-developed components like perl/sh/python scripts etc.
Only standard means: aix system utils, syslog and flexconnector functionality.
Scripting is always great but if I can avoid it without loss - I try to avoid it.

I couldn't come up with anything better than a parser chain (main flex + extraprocessor).

Flexconnector logic:

1. aixaudit.sdkrfilereader parses messages from aix (which we forward to the file) and looks for ssh authentications (submessage0) and audit messages (submessage1). Audit messages go in 2 lines with definite format so I can use multiline parsing.

Sshd messages are single line so we need parameter multiline.singleline.nowaiting=True.
2. the whole audit message is turned into the string <audit class>=<message>, where audit class is AIX audit type (PROC_Create, TCPIP_config etc) and message is an audit string (something like 'audit object read event detected /etc/security/passwd').

3. that string is stored in the field flexString1 and flexString1 is parsed by the extraprocessor aixaudmsg.sdkrfilereader.
4. aixaudmsg.sdkrfilereader tries to parse all aix audit types. Big thanks to for the great job of turning aix audit documentation into the submessages. Saved a couple of hours for me .

I've tuned submessages a little for my customer: corrected some regular expressions which were originally wrong in the aix documentation and mapped useful messages to the main arcsight event schema instead of additional data.

Also I've come up with the categorization file, but It's a bit subjective. Though I believe it's a good start anyway.

Configs are attached:

aixaudit.sdkrfilereader.properties, aixaudmsg.sdkrfilereader.properties and aix.csv (goes into acp/categorizer/current/ibm).

Five month in work - so far so good.

View solution in original post

0 Likes
Cadet 1st Class
Cadet 1st Class
Hi,
I just have a query on AIX audit logs. I have forwarded my AIX audit logs to syslog and logs are passing from connector to Arcmc and even logs are stored in logger as well. In logger and Arcmc we see AIX events cuts in two lines and it looks like parsing is not being properly mapped. Can you please help me what can be an exact issue?
0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

I have created a feature request for the same so that we can push HP to make AIX integration using Syslog. Fully Supported !! If you think it should be taken care by HP then please vote.

0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

PM, can you send to me? thomanfoong@gmail.com

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.