QRadar

Buffering of logs comming from AIX Audit Subsystem

  • 1.  Buffering of logs comming from AIX Audit Subsystem

    Posted 11 days ago
    Hello everyone, 

    We were experiencing problems receiving logs from AIX Audit subsystem as the configuration included in the QRadar DSM Configuration Guide was not working properly.

    The problem we experienced is that the logs were not sent to the Event Collector until we stop / restart the AIX Audit Subsystem, because the configuration was, and I don't know why, buffering the logs in memory.

    The DSM Configuration Guide (page 536 of September 2019) request to modify the file '/etc/security/audi/streamcmds' adding the following line:

    /usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger &&
    command != auditstream && command != auditpr && command != auditselect"|
    auditpr -t0 -h eclrRdi -v |sed -e :a -e '$!N;s/\n / /;ta' -e
    'P;D'| /usr/bin/logger -p local0.debug -r &

    Instead this line you should use this one (the problem is in the sed command):

    /usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger &&
    command != auditstream && command != auditpr && command != auditselect"|
    auditpr -t0 -h eclrRdi -v |awk -u 'NR%2{printf "%s ",$0;next}{print;}' | /usr/bin/logger -p local0.debug -r & 


    The APAR in AIX (TS002293171) is closed, and I have requested to route it to QRadar team to update the DSM Configuration Guide.

    Best regards, 


    ------------------------------
    José Luis Otones Solla
    ------------------------------