Solved: Re: AIX syslog flexconnector - Page 2 - Micro Focus Community

lless · ‎2013-10-18

Hello, i develop flexconnector for aix audit event with syslog.

All the additional information listed in the additionaldata1-10. If need, you may map this field depending on EventClassId.

Configure the mapping for type 451 - no way.

DanyK7 · ‎2014-10-21

Just qsome quick notes you might find interesting:

We had lots of content build on the way that ArcSight AIX SmartConnector was parsing.

The provided parser above works, but mostly puts everything in additionnal data fields.

So if you dont care about backward compatibility, this is great.

What nice about this parser is that is supports EVERY auditpr verbs (452) where ArcSight AIX parser only supported 228 of them (last march at least).

I ended up using a modified flex. comprising of the 228 verbs of ArcSight AIX parser + the missing ones supported above + adjusment for the AIX non-standard format.

And to support the MESSAGE FORWARDED FROM, we had to send evey AIX log to rsyslog, which has the pmaixforwardedfrom parsing module which reformats the message as normal rfc3164 before sending it to our newly build flex.

If you use the perljoiner script AND use stock syslogd on AIX, make sure you encapsulate within an eval() the call to syslog.

If you shutdown syslogd, the perljoiner script will crash and you will need to restart auditpr as well.

A sleep of a few seconds (20-30) in that case greatly helps.

I plan to eventually document the setup required but currently missing the time to do so.

Best of luck,

Dany

Carl_E · ‎2014-10-21

Steven,

Do you have the feature request # for getting AIX added to the standard syslog connector?

I would like to add my voice to the list of customers wanting this ability.

Thanks!

bezchleba@axent1 · ‎2015-07-03

Hello,

It looks like, that this flex cannot be downloaded. If I click to download file flexagent.zip, error message appear:

Error
An general error occurred while processing your request.

Joseph

DanyK7 · ‎2015-07-03

I am on vacation, checking my mail at random.

I can post it again in a few days.

Poke me next tuesday if I forgot.

Plus I saw that a smart can now eliminate the aix syslogd header without going to rsyslog first.

lless · ‎2015-07-04

If need, i may send actual version in e-mail. Write PM with you mail.

lless · ‎2015-07-04

And i find error in flex. If hostaname contain "-" parser work incorrectly.

depogr1 · ‎2015-07-21

Hi to all.
If anyone interested there is slightly different approach.
I use aix syslog daemon to forward audit logs to the linux server (rsyslogd or whatever), to the specific file.
And then I parse that file by the flexconnector.

The benefit is that I do not use any additional self-developed components like perl/sh/python scripts etc.
Only standard means: aix system utils, syslog and flexconnector functionality.
Scripting is always great but if I can avoid it without loss - I try to avoid it.

I couldn't come up with anything better than a parser chain (main flex + extraprocessor).

Flexconnector logic:

1. aixaudit.sdkrfilereader parses messages from aix (which we forward to the file) and looks for ssh authentications (submessage0) and audit messages (submessage1). Audit messages go in 2 lines with definite format so I can use multiline parsing.

Sshd messages are single line so we need parameter multiline.singleline.nowaiting=True.
2. the whole audit message is turned into the string <audit class>=<message>, where audit class is AIX audit type (PROC_Create, TCPIP_config etc) and message is an audit string (something like 'audit object read event detected /etc/security/passwd').

3. that string is stored in the field flexString1 and flexString1 is parsed by the extraprocessor aixaudmsg.sdkrfilereader.
4. aixaudmsg.sdkrfilereader tries to parse all aix audit types. Big thanks to for the great job of turning aix audit documentation into the submessages. Saved a couple of hours for me .

I've tuned submessages a little for my customer: corrected some regular expressions which were originally wrong in the aix documentation and mapped useful messages to the main arcsight event schema instead of additional data.

Also I've come up with the categorization file, but It's a bit subjective. Though I believe it's a good start anyway.

Configs are attached:

aixaudit.sdkrfilereader.properties, aixaudmsg.sdkrfilereader.properties and aix.csv (goes into acp/categorizer/current/ibm).

Five month in work - so far so good.

View solution in original post

RameshP · ‎2018-03-09

Hi,
I just have a query on AIX audit logs. I have forwarded my AIX audit logs to syslog and logs are passing from connector to Arcmc and even logs are stored in logger as well. In logger and Arcmc we see AIX events cuts in two lines and it looks like parsing is not being properly mapped. Can you please help me what can be an exact issue?

anwarrhce1 · ‎2015-07-25

I have created a feature request for the same so that we can push HP to make AIX integration using Syslog. Fully Supported !! If you think it should be taken care by HP then please vote.

thoman · ‎2015-07-29

PM, can you send to me? thomanfoong@gmail.com

AIX syslog flexconnector

FlexConnector

Smart Connector