InTrust 11.3.2 - Preparing for Auditing and Monitoring IBM AIX

Script Event Provider Data Sources

InTrust provides an additional option to create a custom data source using the Script Event Provider.

This functionality allows to create a script that starts with pre-set frequency. Under some conditions that are specified in this script events are generated and then are passed to the InTrust agent. Events are stored in the agent's backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.

You can specify in the certain script: what information is stored and how it is ordered in the certain events, what conditions are required for event generation.

To create a custom data source with Script Event Provider

1. Right-click the Configuration | Data Sources node and select New Data Source.
2. In the New Data Source Wizard, select the Script Event Provider data source type.
3. On the Script step select the script language and enter your script text using XML editor.
4. On the same step specify a frequency of the script running.
5. Complete the remaining steps.

Auditing, Reporting, and Real-Time Monitoring

AIX auditing, reporting, and real-time monitoring is similar to working with any other system supported by InTrust.

There is only one important difference that refers to active scheduling of the InTrust tasks. For information see the warning note below.

The other AIX auditing, reporting and real-time monitoring operations do not have special requirements, and you can perform them as described in the Auditing Guide and Real-Time Monitoring Guide.

InTrust Configuration

After you have taken all the necessary configuration steps on the target AIX hosts, the InTrust Manager snap-in takes over all auditing and real-time monitoring operations. This section describes AIX-specific settings that are not explained in the other InTrust documentation.

Data Sources

The “AIX Syslog” and “AIX Audit Log” data sources represent the AIX audit trails. The "AIX Text Files Monitoring" and “AIX Accounts Monitoring” data sources work with files that are not audit trails.

• AIX Syslog
• AIX Audit Log
• Text File-Monitoring Data Sources
• Script Event Provider Data Sources

AIX Syslog

Syslog auditing and real-time monitoring is based on the flow of data intended for the syslogd daemon. The “AIX Syslog” data source is used to analyze the data flow and capture only the necessary portions of it.

This data source uses a list of regular expressions. When the data source is working, it applies the expressions, in the order specified, to each message. The order of the regular expressions matters because message processing stops as soon as the message matches one of the expressions.

When parsing takes place, pairs of parentheses are used in regular expressions to break messages up into numbered fields.

For example, the following regular expression:

^(.{15}) ([-[:alnum:]_.]+) (su)(\[[0-9]*\]){0,1}: \[ID ([0-9]+) [a-z]+\.[a-z]+\] ('su (.*)' succeeded for (.*) on (.*))

matches the following message:

Dec 16 07:29:28 r5 su: [ID 366847 auth.notice] 'su root' succeeded for jsmith on /dev/pts/1

The result is an event with the following fields:

The last regular expression in the predefined data source is designed to match any message. This ensures that the message is not lost. The result of this regular expression is an event where the Description and Insertion String #1 fields both contain the descriptive part of the message, if a descriptive part is present.

It is not recommended that you modify predefined regular expressions in the data source. These expressions are required for the reports that come with the AIX Knowledge Pack. These reports will ignore any data resulting from the use of custom regular expressions.

If you create a custom Syslog data source with your own regular expressions, make sure you use customized reports based on the data that these regular expressions help capture.