AIX Audit Log
In InTrust Manager, the AIX Audit log is represented by the “AIX Audit Log” data source. Use this data source in any gathering, consolidation and import policies that need to work with Audit log data.
In addition to native Audit log events, the InTrust agent writes the following two events:
| Event ID |
Meaning |
|---|---|
| 60000 |
The InTrust agent detected that AIX system audit had been stopped |
| 60001 |
The InTrust agent detected that AIX system audit had been started (either before or after the start of the agent itself) |
For information about the format of the resulting event records, see Audit Log Event Format.
Text File-Monitoring Data Sources
The “AIX Accounts Monitoring” and “AIX Text Files Monitoring” scripted data sources are designed to parse specified files. Real-time monitoring rules use these data sources to monitor the files for changes.
|
|
Caution: These scripted data sources are not designed for general-purpose auditing and monitoring of text-based logs. They should be used only on configuration files that preferably do not exceed 100 kilobytes. To collect large text-based logs, use Custom Text Log Events data sources, as described in the Auditing Custom Logs with InTrust. |
To specify the file paths, edit the appropriate parameters of the data sources. For example, to monitor the /etc/hosts.allow and /etc/hosts.deny files, take the following steps:
- Open the properties of the “AIX Text Files Monitoring” data source.
- On the Parameters tab, select the TextFiles parameter and click Edit.
- Supply “/etc/hosts.allow” and “/etc/hosts.deny” in the dialog box that appears.
Similarly, you can edit the UsersFile and GroupsFile parameters of the “AIX accounts monitoring” data source if the location of the passwd and groups files differs from the default on your AIX hosts.
|
|
Note: Monitoring the passwd and groups files makes sense if your AIX environment does not use a directory solution. With a directory in place, information in these files is not important or representative. |
Script Event Provider Data Sources
InTrust provides an additional option to create a custom data source using the Script Event Provider.
This functionality allows to create a script that starts with pre-set frequency. Under some conditions that are specified in this script events are generated and then are passed to the InTrust agent. Events are stored in the agent's backup cache. From there, the events can be captured by the gathering or real-time monitoring engine.
You can specify in the certain script: what information is stored and how it is ordered in the certain events, what conditions are required for event generation.
To create a custom data source with Script Event Provider
- Right-click the Configuration | Data Sources node and select New Data Source.
- In the New Data Source Wizard, select the Script Event Provider data source type.
- On the Script step select the script language and enter your script text using XML editor.
- On the same step specify a frequency of the script running.
- Complete the remaining steps.
Use Scenarios
This section describes typical situations in a production environment and outlines how InTrust helps handle them. For information about specific procedures, such as creating tasks and jobs or activating rules, see the InTrust Auditing Guide.