Hi guys,

is there something in AIX similar to the Security(Audit) Event Log in Windows?
If there is, how big is this file and possible to extract(copy) out to another file?

Thanks alot.

Hello,

You could try the auditpr command, the link is below:

IBM auditpr command documentation

An example of output using default header information follows:


event login status time command
login marky OK Fri Feb;8 14:03:57 1990 login
. . . . . trail portion . . . .

Check documentation, but one example would be

The user running this command should have read access to the files below[list=1][*]etc/security/audit/events[*]/etc/passwd[*]/etc/group[/list=1]

---------------------------------------------------------


For raw audit data---

AIX does have an audit facility, which may be turned on, the command to view audit files is on IBM's web site, and has documentation at the following link:

Commands Reference, Volume 3, i - m lsaudrec Command

Here is a quick modified example:

---copied from the IBM documentation ---


# this shows the audit records on the current system in the last 34 hours

To list the time and sequence number of every record in the audit log for the subsystem abc on nodes mynode and yournode, enter:

You can make your own subsystem by the following:
---end copied from the IBM documentation ---

(the environment variable CT_MANAGEMENT_SCOPE is not set in this example, and local scope indicates just the current machine)

In Windows XP Home, the eventvwr has the following logs by default:

Application
Security
System

XP Application Log has the following columns by default
[list=a][/list=a]

• Type
• Date
• Time
• Source
• Category
• Event
• User
• Computer

In AIX, these may (or may not) roughly correspond to:
[list=1][*]Category (0 or 1 , information or error )[*]Date (#mmddhhmmyyyy , example #010523042002 is January 5, 11:04 PM, 2002 )[*]Time (see Date Above)[*]Subsystem[*]TemplateID (Specifies the subsystem-dependent identifier that is assigned to records that have the same content and format string. This value is a 32-bit unsigned integer)[*]Node (which computer to examine)[/list=1]

The security subsystem in AIX would be the following subsystems

# stands for "ls" the "src" or subsystem resource controller

The command above lists all subsystems

Also, take a look at the audit command.

hmmm.... unfortunately none of the above works for me.

ok... i will check out the man pages.
btw, my task on hand is to extract those audit logs....
thanks for the info anyway

Unless auditing was explicitely run, there will not be any audit logs of this type on your system, so there may be nothing for you to extract. Auditing and accounting use up significant amounts of disk space, CPU and memory so are turned off by default.

If these were not running, the logs you have left are the standard AIX ones and there is probably a lot of information that simply hasn't been recorded.

Look at /etc/syslog.conf to see which logs are being written to. Probably they are mostly under /var/adm.

e.g.
- /var/adm/messages
- /var/adm/wtmp (use last command to access)
- /etc/security/failedlogin
- /var/adm/sulog
- a few files under /var/adm/ras