LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > AIX
User Name
Password
AIX This forum is for the discussion of IBM AIX.
eserver and other IBM related questions are also on topic.

Notices

Reply
 
Search this Thread
Old 05-14-2004, 09:44 PM   #1
DriveMeCrazy
Member
 
Registered: Mar 2004
Posts: 70

Rep: Reputation: 15
Audit Log in AIX?


Hi guys,

is there something in AIX similar to the Security(Audit) Event Log in Windows?
If there is, how big is this file and possible to extract(copy) out to another file?

Thanks alot.
 
Old 05-15-2004, 07:21 AM   #2
MarkBurke
LQ Newbie
 
Registered: Nov 2003
Location: Orange County, CA, USA
Distribution: aix, rhel, ubuntu
Posts: 24

Rep: Reputation: 0
Hello,

You could try the auditpr command, the link is below:

IBM auditpr command documentation

An example of output using default header information follows:


event login status time command
login marky OK Fri Feb;8 14:03:57 1990 login
. . . . . trail portion . . . .

Check documentation, but one example would be

Code:
/usr/sbin/auditstream | /usr/sbin/auditpr -t0 -heRl
The user running this command should have read access to the files below[list=1][*]etc/security/audit/events[*]/etc/passwd[*]/etc/group[/list=1]

---------------------------------------------------------


For raw audit data---

AIX does have an audit facility, which may be turned on, the command to view audit files is on IBM's web site, and has documentation at the following link:

Commands Reference, Volume 3, i - m lsaudrec Command

Here is a quick modified example:

---copied from the IBM documentation ---


Code:
mkssys
Code:
/usr/sbin/rsct/bin/lsaudrec -s "Time > #-000034"
# this shows the audit records on the current system in the last 34 hours

To list the time and sequence number of every record in the audit log for the subsystem abc on nodes mynode and yournode, enter:

You can make your own subsystem by the following:
Code:
lsaudrec -n mynode,yournode -S abc Time SequenceNumber
---end copied from the IBM documentation ---

(the environment variable CT_MANAGEMENT_SCOPE is not set in this example, and local scope indicates just the current machine)

In Windows XP Home, the eventvwr has the following logs by default:

Application
Security
System

XP Application Log has the following columns by default
[list=a][/list=a]
  • Type
  • Date
  • Time
  • Source
  • Category
  • Event
  • User
  • Computer

In AIX, these may (or may not) roughly correspond to:
[list=1][*]Category (0 or 1 , information or error )[*]Date (#mmddhhmmyyyy , example #010523042002 is January 5, 11:04 PM, 2002 )[*]Time (see Date Above)[*]Subsystem[*]TemplateID (Specifies the subsystem-dependent identifier that is assigned to records that have the same content and format string. This value is a 32-bit unsigned integer)[*]Node (which computer to examine)[/list=1]

The security subsystem in AIX would be the following subsystems

Code:
lssrc -a
# stands for "ls" the "src" or subsystem resource controller

The command above lists all subsystems
 
Old 05-15-2004, 01:11 PM   #3
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Also, take a look at the audit command.
Code:
audit start
audit stop
 
Old 05-16-2004, 03:04 AM   #4
DriveMeCrazy
Member
 
Registered: Mar 2004
Posts: 70

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by MarkBurke
Hello,

You could try the auditpr command, the link is below:

IBM auditpr command documentation

An example of output using default header information follows:


event login status time command
login marky OK Fri Feb;8 14:03:57 1990 login
. . . . . trail portion . . . .

Check documentation, but one example would be

Code:
/usr/sbin/auditstream | /usr/sbin/auditpr -t0 -heRl
The user running this command should have read access to the files below[list=1][*]etc/security/audit/events[*]/etc/passwd[*]/etc/group[/list=1]

---------------------------------------------------------


For raw audit data---

AIX does have an audit facility, which may be turned on, the command to view audit files is on IBM's web site, and has documentation at the following link:

Commands Reference, Volume 3, i - m lsaudrec Command

Here is a quick modified example:

---copied from the IBM documentation ---


Code:
mkssys
Code:
/usr/sbin/rsct/bin/lsaudrec -s "Time > #-000034"
# this shows the audit records on the current system in the last 34 hours

To list the time and sequence number of every record in the audit log for the subsystem abc on nodes mynode and yournode, enter:

You can make your own subsystem by the following:
Code:
lsaudrec -n mynode,yournode -S abc Time SequenceNumber
---end copied from the IBM documentation ---

(the environment variable CT_MANAGEMENT_SCOPE is not set in this example, and local scope indicates just the current machine)

In Windows XP Home, the eventvwr has the following logs by default:

Application
Security
System

XP Application Log has the following columns by default
[list=a][/list=a]
  • Type
  • Date
  • Time
  • Source
  • Category
  • Event
  • User
  • Computer

In AIX, these may (or may not) roughly correspond to:
[list=1][*]Category (0 or 1 , information or error )[*]Date (#mmddhhmmyyyy , example #010523042002 is January 5, 11:04 PM, 2002 )[*]Time (see Date Above)[*]Subsystem[*]TemplateID (Specifies the subsystem-dependent identifier that is assigned to records that have the same content and format string. This value is a 32-bit unsigned integer)[*]Node (which computer to examine)[/list=1]

The security subsystem in AIX would be the following subsystems

Code:
lssrc -a
# stands for "ls" the "src" or subsystem resource controller

The command above lists all subsystems
hmmm.... unfortunately none of the above works for me.
 
Old 05-16-2004, 03:05 AM   #5
DriveMeCrazy
Member
 
Registered: Mar 2004
Posts: 70

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by iainr
Also, take a look at the audit command.
Code:
audit start
audit stop
ok... i will check out the man pages.
btw, my task on hand is to extract those audit logs....
thanks for the info anyway
 
Old 05-16-2004, 03:37 PM   #6
iainr
Member
 
Registered: Nov 2002
Location: England
Distribution: Ubuntu 9.04
Posts: 631

Rep: Reputation: 30
Quote:
Originally posted by DriveMeCrazy
btw, my task on hand is to extract those audit logs....
thanks for the info anyway
Unless auditing was explicitely run, there will not be any audit logs of this type on your system, so there may be nothing for you to extract. Auditing and accounting use up significant amounts of disk space, CPU and memory so are turned off by default.

If these were not running, the logs you have left are the standard AIX ones and there is probably a lot of information that simply hasn't been recorded.

Look at /etc/syslog.conf to see which logs are being written to. Probably they are mostly under /var/adm.

e.g.
- /var/adm/messages
- /var/adm/wtmp (use last command to access)
- /etc/security/failedlogin
- /var/adm/sulog
- a few files under /var/adm/ras
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Grab Print Job Details and LOG in AIX Sanju_yumi AIX 2 07-28-2014 06:54 PM
Increase Audit Log size in RHEL 3.0? spelltoronto Linux - Newbie 4 05-17-2005 06:29 PM
/var/log/messages - kernel: audit(1107868785.573:0): avc: denied { getattr } lothario Linux - Security 2 02-10-2005 04:24 AM
Audit Log Messages "denied" shortsword Linux - Newbie 0 10-03-2004 05:46 AM
How to Audit Print Counts in AIX Sanju_yumi AIX 0 06-17-2004 06:02 AM


All times are GMT -5. The time now is 07:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration