- play_arrow Event Collection from Third-party Devices
- play_arrow Introduction to Log Source Management
- Introduction to Log Source Management
- Adding a Log Source
- Adding a Log Source by using the Log Sources Icon
- Adding Bulk Log Sources
- Adding Bulk Log Source by using the Log Sources Icon
- Editing Bulk Log Sources
- Editing Bulk Log Sources by using the Log Sources icon
- Adding a Log Source Parsing Order
- Testing Log Sources
- Log Source Groups
- play_arrow Gateway Log Source
- play_arrow Log Source Extensions
- play_arrow Manage Log Source Extensions
- play_arrow Threat Use Cases by Log Source Type
- play_arrow Troubleshooting DSMs
- play_arrow Protocols
- play_arrow Universal Cloud REST API Protocol
- play_arrow Protocols that Support Certificate Management
- play_arrow 3Com Switch 8800
- play_arrow AhnLab Policy Center
- play_arrow Akamai KONA
- Akamai Kona
- Configure an Akamai Kona Log Source by using the HTTP Receiver Protocol
- Configure an Akamai Kona Log Source by using the Akamai Kona REST API Protocol
- Configuring Akamai Kona to Communicate with JSA
- Creating an Event Map for Akamai Kona Events
- Modifying the Event Map for Akamai Kona
- Akamai Kona Sample Event Messages
- play_arrow Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs DSM Specifications
- Publishing Flow Logs to an S3 Bucket
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for your AWS User Account
- Amazon AWS S3 REST API Log Source Parameters for Amazon AWS Application Load Balancer Access Logs
- Amazon AWS Application Load Balancer Access Logs Sample Event Message
- play_arrow Amazon AWS CloudTrail
- play_arrow Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service DSM Specifications
- Configuring Amazon Elastic Kubernetes Service to Communicate with JSA
- Configuring Security Credentials for your AWS User Account
- Amazon Web Services Log Source Parameters for Amazon AWS Elastic Kubernetes Service
- Amazon AWS Elastic Kubernetes Service Sample Event Messages
- play_arrow Amazon AWS Network Firewall
- Amazon AWS Network Firewall
- Amazon AWS Network Firewall DSM Specifications
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for Your AWS User Account
- Amazon AWS S3 REST API Log Source Parameters for Amazon AWS Network Firewall
- AWS Network Firewall Sample Event Messages
- play_arrow Amazon AWS Route 53
- Amazon AWS Route 53
- Amazon AWS Route 53 DSM Specifications
- Configuring an Amazon AWS Route 53 Log Source by using the Amazon Web Services Protocol and CloudWatch Logs
- Configuring an Amazon AWS Route 53 Log Source by using an S3 Bucket with an SQS Queue
- Configuring an Amazon AWS Route 53 Log Source by using an S3 Bucket with a Directory Prefix
- Amazon AWS Route 53 Sample Event Messages
- play_arrow Amazon AWS Security Hub
- play_arrow Amazon AWS WAF
- play_arrow Amazon GuardDuty
- Amazon GuardDuty
- Configuring an Amazon GuardDuty Log Source by using the Amazon Web Services Protocol
- Creating an EventBridge Rule for Sending Events
- Creating an Identity and Access (IAM) User in the AWS Management Console
- Configuring an Amazon GuardDuty Log Source by using the Amazon AWS S3 REST API Protocol
- Configuring Amazon GuardDuty to Forward Events to an AWS S3 Bucket
- Amazon GuardDuty Sample Event Messages
- play_arrow Ambiron TrustWave IpAngel
- play_arrow Amazon VPC Flow Logs
- play_arrow APC UPS
- play_arrow Apache HTTP Server
- play_arrow Apple Mac OS X
- play_arrow Application Security DbProtect
- play_arrow Arbor Networks
- play_arrow Arpeggio SIFT-IT
- play_arrow Array Networks SSL VPN
- play_arrow Aruba Networks
- play_arrow Avaya VPN Gateway
- play_arrow BalaBit IT Security
- play_arrow Barracuda
- play_arrow BeyondTrust PowerBroker
- play_arrow BlueCat Networks Adonis
- play_arrow Blue Coat SG
- Blue Coat
- Blue Coat SG
- Creating a Custom Event Format for Blue Coat SG
- Creating a Log Facility
- Enabling Access Logging
- Configuring Blue Coat SG for FTP Uploads
- Syslog Log Source Parameters for Blue Coat SG
- Log File Log Source Parameters for Blue Coat SG
- Configuring Blue Coat SG for Syslog
- Creating Extra Custom Format Key-value Pairs
- Blue Coat SG Sample Event Messages
- play_arrow Blue Coat Web Security Service
- play_arrow Box
- play_arrow Bridgewater
- play_arrow Broadcom
- play_arrow Brocade Fabric OS
- play_arrow Carbon Black
- play_arrow Centrify
- Centrify
- Centrify Identity Platform
- Centrify Identity Platform DSM specifications
- Configuring Centrify Identity Platform to communicate with JSA
- Centrify Infrastructure Services
- Configuring WinCollect Agent to Collect Event Logs from Centrify Infrastructure Services
- Configuring Centrify Infrastructure Services on a UNIX or Linux Device to Communicate with JSA
- play_arrow Check Point
- play_arrow Cilasoft QJRN/400
- play_arrow Cisco
- Cisco
- Cisco ACE Firewall
- Configuring Cisco Aironet to Forward Events
- Cisco ACS
- Cisco ASA
- Cisco AMP
- Cisco CallManager
- Cisco CatOS for Catalyst Switches
- Cisco Cloud Web Security
- Cisco CSA
- Cisco Firepower Management Center
- Cisco Firepower Threat Defense
- Cisco FWSM
- Cisco Identity Services Engine
- Cisco IDS/IPS
- Cisco IOS
- Cisco IronPort
- Cisco Meraki
- Cisco NAC
- Cisco Nexus
- Cisco Pix
- Cisco Stealthwatch
- Cisco Umbrella
- Cisco VPN 3000 Concentrator
- Cisco Wireless LAN Controllers
- Cisco Wireless Services Module
- play_arrow Citrix
- play_arrow Cloudera Navigator
- play_arrow Cloudflare Logs
- Cloudflare Logs
- Cloudflare Logs DSM Specifications
- Configure Cloudflare to send Events to JSA when you use the HTTP Receiver Protocol
- Configuring Cloudflare Logs to Send Events to JSA when you use the Amazon S3 REST API Protocol
- Create an SQS Queue and Configure S3 ObjectCreated Notifications
- Configuring Security Credentials for Your AWS User Account
- HTTP Receiver Log Source Parameters for Cloudflare Logs
- Amazon AWS S3 REST API Log Source Parameters for Cloudflare Logs
- Cloudflare Logs Sample Event Messages
- play_arrow CloudPassage Halo
- play_arrow CloudLock Cloud Security Fabric
- play_arrow Correlog Agent for IBM Z/OS
- play_arrow CrowdStrike Falcon
- play_arrow CRYPTOCard CRYPTO-Shield
- play_arrow CyberArk
- play_arrow CyberGuard Firewall/VPN Appliance
- play_arrow Damballa Failsafe
- play_arrow DG Technology MEAS
- play_arrow Digital China Networks (DCN)
- play_arrow Enterprise-IT-Security.com SF-Sherlock
- play_arrow Epic SIEM
- play_arrow ESET Remote Administrator
- play_arrow Exabeam
- play_arrow Extreme
- Extreme
- Extreme 800-Series Switch
- Extreme Dragon
- Extreme HiGuard Wireless IPS
- Extreme HiPath Wireless Controller
- Extreme Matrix Router
- Extreme Matrix K/N/S Series Switch
- Extreme NetSight Automatic Security Manager
- Extreme NAC
- Configuring Extreme Stackable and Stand-alone Switches
- Extreme Networks ExtremeWare
- Extreme XSR Security Router
- play_arrow F5 Networks
- play_arrow Fair Warning
- play_arrow Fasoo Enterprise DRM
- play_arrow Fidelis XPS
- play_arrow FireEye
- play_arrow Forcepoint
- play_arrow ForeScout CounterACT
- play_arrow Fortinet FortiGate
- Fortinet FortiGate Security Gateway
- Configuring a Syslog Destination on Your Fortinet FortiGate Security Gateway Device
- Configuring a Syslog Destination on Your Fortinet FortiAnalyzer Device
- Fortinet FortiGate Security Gateway Sample Event Messages
- Configuring JSA to Categorize App Ctrl Events for Fortinet Fortigate Security Gateway
- play_arrow Foundry FastIron
- play_arrow FreeRADIUS
- play_arrow Generic
- play_arrow Google Cloud Audit Logs
- play_arrow Genua Genugate
- play_arrow Google Cloud Platform Firewall
- play_arrow Google G Suite Activity Reports
- Google G Suite Activity Reports
- Google G Suite Activity Reports DSM Specifications
- Configuring Google G Suite Activity Reports to Communicate with JSA
- Assigning a Role to a User
- Creating a Service Account with Viewer Access
- Granting API Client Access to a Service Account
- Google G Suite Activity Reports Log Source Parameters
- Google G Suite Activity Reports Sample Event Messages
- Troubleshooting Google G Suite Activity Reports
- play_arrow Great Bay Beacon
- play_arrow H3C Technologies
- play_arrow HBGary Active Defense
- play_arrow HCL BigFix (formerly known as IBM BigFix)
- play_arrow Honeycomb Lexicon File Integrity Monitor (FIM)
- play_arrow Hewlett Packard Enterprise
- play_arrow Huawei
- play_arrow HyTrust CloudControl
- play_arrow ISC BIND
- play_arrow Illumio Adaptive Security Platform
- play_arrow Imperva Incapsula
- play_arrow Imperva SecureSphere
- play_arrow Infoblox NIOS
- play_arrow IT-CUBE AgileSI
- play_arrow Itron Smart Meter
- play_arrow Juniper Networks
- Juniper Networks
- Juniper Networks AVT
- Juniper Networks DDoS Secure
- Juniper Networks DX Application Acceleration Platform
- Juniper Networks EX Series Ethernet Switch
- Juniper Networks IDP
- Juniper Networks Infranet Controller
- Juniper Networks Firewall and VPN
- Juniper Networks Junos OS
- Juniper Networks Network and Security Manager
- Juniper Networks Secure Access
- Juniper Networks Security Binary Log Collector
- Juniper Networks Steel-Belted Radius
- Juniper Networks VGW Virtual Gateway
- Juniper Networks Junos OS WebApp Secure
- Juniper Networks WLC Series Wireless LAN Controller
- play_arrow Kaspersky
- play_arrow Kisco Information Systems SafeNet/i
- play_arrow Kubernetes Auditing
- play_arrow Lastline Enterprise
- play_arrow Lieberman Random Password Manager
- play_arrow LightCyber Magna
- play_arrow Linux
- play_arrow LOGbinder
- play_arrow McAfee
- play_arrow MetaInfo MetaIP
- play_arrow Microsoft
- Microsoft
- Microsoft 365 Defender
- Microsoft Azure Active Directory
- Microsoft Azure Platform
- Microsoft Azure Security Center
- Microsoft DHCP Server
- Microsoft DNS Debug
- Microsoft Endpoint Protection
- Microsoft Exchange Server
- Microsoft Hyper-V
- Microsoft IAS Server
- Microsoft IIS Server
- Microsoft ISA
- Microsoft Office 365
- Microsoft Office 365 Message Trace
- JDBC Log Source Parameters for Microsoft Operations Manager
- Microsoft SharePoint
- Microsoft SQL Server
- JDBC Log Source Parameters for Microsoft System Center Operations Manager
- Microsoft Windows Security Event Log
- play_arrow Motorola Symbol AP
- play_arrow Name Value Pair
- play_arrow NCC Group DDoS Secure
- play_arrow NetApp Data ONTAP
- play_arrow Netgate pfSense
- play_arrow Netskope Active
- play_arrow NGINX HTTP Server
- play_arrow Niksun
- play_arrow Nokia Firewall
- play_arrow Nominum Vantio
- play_arrow Nortel Networks
- Nortel Networks
- Nortel Multiprotocol Router
- Nortel Application Switch
- Nortel Contivity
- Nortel Ethernet Routing Switch 2500/4500/5500
- Nortel Ethernet Routing Switch 8300/8600
- Nortel Secure Router
- Nortel Secure Network Access Switch
- Nortel Switched Firewall 5100
- Nortel Switched Firewall 6000
- Nortel Threat Protection System (TPS)
- Nortel VPN Gateway
- play_arrow Novell EDirectory
- play_arrow Observe IT JDBC
- play_arrow Okta
- play_arrow Onapsis Security Platform
- play_arrow OpenBSD
- play_arrow Open LDAP
- play_arrow Open Source SNORT
- play_arrow OpenStack
- play_arrow Oracle
- play_arrow OSSEC
- play_arrow Palo Alto Networks
- play_arrow Pirean Access: One
- play_arrow PostFix Mail Transfer Agent
- play_arrow ProFTPd
- play_arrow Proofpoint Enterprise Protection and Enterprise Privacy
- play_arrow Pulse Secure
- play_arrow Pulse Secure Infranet Controller
- play_arrow Pulse Secure Pulse Connect Secure
- play_arrow Radware
- play_arrow Raz-Lee ISecurity
- play_arrow Redback ASE
- play_arrow Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes DSM Specifications
- Configuring Red Hat Advanced Cluster Security for Kubernetes to Communicate with JSA
- HTTP Receiver Log Source Parameters for Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes Sample Event Messages
- play_arrow Resolution1 CyberSecurity
- play_arrow Riverbed
- play_arrow RSA Authentication Manager
- play_arrow SafeNet DataSecure
- play_arrow Salesforce
- play_arrow Samhain Labs
- play_arrow SAP Enterprise Threat Detection
- SAP Enterprise Threat Detection
- SAP Enterprise Threat Detection DSM Specifications
- SAP Enterprise Threat Detection Alert API Log Source Parameters for SAP Enterprise Threat Detection
- Creating a Pattern Filter on the SAP Server
- Troubleshooting the SAP Enterprise Threat Detection Alert API
- SAP Enterprise Threat Detection Sample Event Message
- play_arrow Seculert
- play_arrow Sentrigo Hedgehog
- play_arrow SolarWinds Orion
- play_arrow SonicWALL
- play_arrow Sophos
- play_arrow Sourcefire Intrusion Sensor
- play_arrow Splunk
- play_arrow Squid Web Proxy
- play_arrow SSH CryptoAuditor
- play_arrow Starent Networks
- play_arrow STEALTHbits
- play_arrow Sun
- play_arrow Suricata
- play_arrow Sybase ASE
- play_arrow Symantec
- play_arrow SysFlow
- play_arrow ThreatGRID Malware Threat Intelligence Platform
- play_arrow TippingPoint
- play_arrow Top Layer IPS
- play_arrow Townsend Security LogAgent
- play_arrow Trend Micro
- play_arrow Tripwire
- play_arrow Tropos Control
- play_arrow Universal CEF
- play_arrow Universal LEEF
- play_arrow Vectra Networks Vectra
- play_arrow Venustech Venusense
- play_arrow Verdasys Digital Guardian
- play_arrow Vericept Content 360 DSM
- play_arrow VMware
- play_arrow Vormetric Data Security
- play_arrow WatchGuard Fireware OS
- play_arrow Websense
- play_arrow Zscaler Nanolog Streaming Service
- play_arrow Zscaler Private Access
- play_arrow JSA Supported DSMs
IBM AIX DSMs
JSA provides the IBM AIX Audit and IBM AIX Server DSMs to collect and parse audit or operating system events from IBM AIX devices.
IBM AIX Server DSM Overview
The IBM AIX Server DSM collects operating system and authentication events using syslog for users that interact or log in to your IBM AIX appliance.
The following table identifies the specifications for both IBM AIX DSM Server:
Specification | Value |
---|---|
Manufacturer | IBM |
DSM names | IBM AIX Server |
RPM file names | DSM-IBMAIXServer-JSA_version-build_number.noarch.rpm |
Supported versions | V5.X, V6.X, and V7.X |
Protocol type | Syslog |
JSA recorded event types | Login or logoff events Session opened or session closed events Accepted password and failed password events Operating system events |
Automatically discovered? | Yes |
Includes identity? | Yes |
More information |
To integrate IBM AIX Server events with JSA, complete the following steps:
If automatic updates are not enabled, RPMs are available for download from the Juniper Downloads. Download and install the most recent version of the following RPMs on your JSA Console:
DSM Common RPM
IBM AIX Server DSM RPM
Configure your IBM AIX Server device to send syslog events to JSA.
Configure a syslog-based log source for your IBM AIX Server device. Use the following protocol-specific parameters:
Parameter
Description
Log Source Type
IBM AIX Server
Protocol Configuration
Syslog
To collect syslog audit events from your IBM AIX Server device, redirect your audit log output from your IBM AIX device to the JSA Console or Event Collector.
- Configuring Your IBM AIX Server Device to Send Syslog Events to JSA
- IBM AIX Server Sample Event Message
Configuring Your IBM AIX Server Device to Send Syslog Events to JSA
To collect syslog audit events from your IBM AIX Server device, redirect your audit log output from your IBM AIX device to the JSA Console or Event Collector.
Log in to your IBM AIX appliance as a root user.
Open the /etc/syslog.conf file.
To forward the system authentication logs to JSA, add the following line to the file:
auth.info @JSA_IP_address
A tab must separate auth.info and the IP address of JSA.
For example:
content_copy zoom_out_map##### begin /etc/syslog.conf mail.debug /var/adm/maillogmail.none /var/adm/ maillogauth.notice /var/adm/authloglpr.debug /var/adm/lpd-errskern.debug /var/adm/ messages*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/ messagesauth.info @<IP_address>##### end /etc/syslog.conf
Save and exit the file.
Restart the syslog service:
refresh -s syslogd
IBM AIX Server Sample Event Message
Use this sample event message to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
IBM AIX Server sample message when you use the Syslog protocol
The following sample event message shows that the sshd connection is closed.
<38> Nov 21 16:19:05 ibm.aix.test sshd [7471482]: Connection closed by 10.5.88.146 [preauth]
JSA field name | Highlighted payload field name |
---|---|
Event ID | sshd + Connection closed (extracted from the payload) |
Device Time | Nov 21 16:19:05 |
Source IP | 10.5.88.146 |
IBM AIX Audit DSM Overview
The IBM AIX Audit DSM collects detailed audit information for events that occur on your IBM AIX appliance.
The following table identifies the specifications for the IBM AIX Audit DSM:
Specification | Value |
---|---|
Manufacturer | IBM |
DSM names | IBM AIX Audit |
RPM file names | DSM-IBMAIXAudit-JSA_version-build_number.noarch.rpm |
Supported versions | V6.1 and V7.1 |
Protocol type | Syslog Log File Protocol |
JSA recorded event types | Audit events |
Automatically discovered? | Yes |
Includes identity? | No |
More information |
To integrate IBM AIX Audit events with JSA, complete the following steps:
Download the latest version of the IBM AIX Audit DSM from the Juniper Downloads.
For syslog events, complete the following steps:
Configure your IBM AIX Audit device to send syslog events to JSA. See Configuring IBM AIX Audit DSM to Send Syslog Events to JSA .
If JSA does not automatically discover the log source, add an IBM AIX Audit log source. Use the following IBM AIX Audit-specific values in the log source configuration:
Parameter
Value
Log Source Type
IBM AIX Audit
Protocol Configuration
Syslog
For log file protocol events, complete the following steps:
Configure your IBM AIX Audit device to convert audit logs to the log file protocol format.
Configure a log file protocol-based log source for your IBM AIX Audit device. Use the following protocol-specific values in the log source configuration:
Parameter
Value
Log Source Type
IBM AIX Audit
Protocol Configuration
Log File
Service Type
The protocol to retrieve log files from a remote server.
Note:If you select the SCP and SFTP service type, ensure that the server that is specified in the Remote IP or Hostname parameter has the SFTP subsystem enabled.
Remote Port
If the host for your event files uses a non-standard port number for FTP, SFTP, or SCP, adjust the port value.
SSH Key File
If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file. When you provide an SSH Key File, the Remote Password parameter is ignored.
Remote Directory
The directory location on the remote host where the files are retrieved. Specify the location relative to the user account you are using to log in.
Note:For FTP only. If your log files are in a remote user home directory, leave the remote directory blank to support operating systems where a change in the working directory (CWD) command is restricted.
FTP File Pattern
The FTP file pattern must match the name that you assigned to your AIX audit files with the -n parameter in the audit script. For example, to collect files that start with AIX_AUDIT and end with your time stamp value, type AIX_Audit_*.
FTP Transfer Mode
ASCII is required for text event logs that are retrieved by the log file protocol by using FTP.
Processor
NONE
Change Local Directory?
Leave this check box clear.
Event Generator
LineByLine
The Event Generator applies more processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created.
- Configuring IBM AIX Audit DSM to Send Syslog Events to JSA
- Configuring IBM AIX Audit DSM to Send Log File Protocol Events to JSA
Configuring IBM AIX Audit DSM to Send Syslog Events to JSA
To collect syslog audit events from your IBM AIX Audit device, redirect your audit log output from your IBM AIX device to the JSA Console or Event Collector.
On an IBM AIX appliance, you can enable or disable classes in the audit configuration. The IBM AIX default classes capture a large volume of audit events. To prevent performance issues, you can tune your IBM AIX appliance to reduce the number of classes that are collected. For more information about audit classes, see your IBM AIX appliance documentation.
Log in to your IBM AIX appliance.
Open the audit configuration file:
/etc/security/audit/config
Edit the Start section to disable the binmode element and enable the streammode element:
content_copy zoom_out_mapbinmode = off
content_copy zoom_out_mapstreammode = on
Edit the Classes section to specify which classes to audit.
Save the configuration changes.
Open the streamcmds file:
/etc/security/audit/streamcmds
Add the following line to the file:
content_copy zoom_out_map/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |awk -u 'NR%2{printf "%s ",$0;next}{print;}' | /usr/bin/logger -p local0.debug -r &
Save the configuration changes.
Edit the syslog configuration file to specify a debug entry and the IP address of the JSA Console or Event Collector:
*.debug @ip_address
Tip:A tab must separate *.debug from the IP address.
Save the configuration changes.
Reload your syslog configuration:
refresh -s syslogd
Start the audit script on your IBM AIX appliance:
audit start
The IBM AIX Audit DSM automatically discovers syslog audit events that are forwarded from IBM AIX to JSA and creates a log source. If the events are not automatically discovered, you can manually configure a log source.
Configuring IBM AIX Audit DSM to Send Log File Protocol Events to JSA
Configure the audit.pl script to run each time that you want to convert your IBM AIX audit logs to a readable event log format for JSA.
Ensure that Perl 5.8 or later is installed on your IBM AIX computer.
To send log file protocol events from IBM AIX to JSA, you must edit these files:
Audit configuration file | The audit configuration file identifies the event classes that are audited and the location of the event log file on your IBM AIX appliance. The IBM AIX default classes capture many audit events. To prevent performance issues, you can configure the classes in the audit configuration file. For more information about configuring audit classes, see your IBM AIX documentation. |
Audit script | The audit script uses the audit configuration file to identify which audit logs to read and converts the binary logs to single-line events that JSA can read. The log file protocol can then retrieve the event log from your IBM AIX appliance and import the events to JSA. The audit script uses the audit.pr file to convert the binary audit records to event log files JSA can read. Run the audit script each time that you want to convert your audit records to readable events. You can use a cron job to automate this process. for example, you can add 0 * * * * /audit.pl to allow the audit script to run hourly. For more information, see your system documentation. |
Log in to your IBM AIX appliance.
Configure the audit configuration file:
Open the audit configuration file:
etc/security/audit/config
Edit the Start section to enable the binmode element.
content_copy zoom_out_mapbinmode = on
In the Start section, edit the configuration to determine which directories contain the binary audit logs.
The default configuration for IBM AIX auditing writes binary logs to the following directories:
content_copy zoom_out_maptrail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 10240 cmds = /etc/security/audit/bincmds
In most cases, you do not have to edit the binary file in the bin1 and bin2 directories.
In the Classes section, edit the configuration to determine which classes are audited. For information on configuring classes, see your IBM AIX documentation.
Save the configuration changes.
Audit on your IBM AIX system:
audit start
Install the audit script:
From Juniper Downloads, search for the audit.pl.gz and select the download that corresponds to your release of JSA.
Download the audit.pl.gz file.
Copy the audit script to a folder on your IBM AIX appliance.
Extract the file:
tar -zxvf audit.pl.gz
Start the audit script:
./audit.pl
You can add the following parameters to modify the command:
Parameter
Description
-r
Defines the results directory where the audit script writes event log files for JSA.
If you do not specify a results directory, the script writes the events to the following /audit/results/ directory. The results directory is used in the Remote Directory parameter in the log source configuration uses this value. To prevent errors, verify that the results directory exists on your IBM AIX system.
-n
Defines a unique name for the event log file that is generated by audit script. The FTP File Pattern parameter in the log source configuration uses this name to identify the event logs that the log source must retrieve in JSA.
-l
Defines the name of the last record file.
-m
Defines the maximum number of audit files to retain on your IBM AIX system. By default, the script retains 30 audit files. When the number of audit files exceeds the value of the -m parameter, the script deletes the audit file with the oldest time stamp.
-t
Defines the directory that contains the audit trail file. The default directory is /audit/trail.
The IBM AIX Audit DSM automatically discovers log file protocol audit events that are forwarded from IBM AIX to JSA and creates a log source. If the events are not automatically discovered, you can manually configure a log source.