Originally posted by: deesk

I have set up auditing on one of my AIX test machines to send certain commands to /etc/syslog.conf. One of the things I want to monitor is the creation of a local user via the command line(mkuser) or by smit. I have altered my /etc/syslog.conf file with a entry of *.debug    /tmp/syslog.out and we use an appliance

called Qradar to monitor my syslog output, I am having trouble getting these commands to go the device from the /etc/syslog.conf file, has anyone configured auditing and syslog to monitor these activities? If there is another method to achieve this any info would be great, I am open open to other means to see this output, maybe some type of logger server?

Originally posted by: GarlandJoseph

A log of folks use syslog-ng in place of AIX syslog.  This will allow you to send the syslog to a centralized syslog server.

Originally posted by: ShashwatSharma

Even if you enable AIX  auditing you will not account management event irrespective of the syslog daemon you use. there are different audit configuration file  where changes needs to be done to get account management logs. and also check whether auditing is enable for all user or only for root.