108.2. AIX Auditing (xm_aixaudit)
This module parses events in the AIX Audit format. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_aixaudit, which reads audit events directly from the kernel—it is recommended instead in cases where NXLog is running as a local agent on the system.
108.2.1. Configuration
The xm_aixaudit module accepts only the common module directives.
108.2.2. Fields
The following fields are used by xm_aixaudit.
$raw_event(type: string)-
A list of event fields in key-value pairs.
$Command(type: string)-
The command executed.
$EventTime(type: datetime)-
The timestamp of the event.
$EventType(type: string)-
The type of event (for example,
login).
$Login(type: string)-
Login name
$LoginUID(type: integer)-
Login UID
$ParentPID(type: integer)-
The parent process ID (PID).
$PID(type: integer)-
The process ID (PID).
$Real(type: string)-
Real user name
$RealUID(type: integer)-
Real user ID
$Status(type: integer)-
The status ID of the event.
$Thread(type: integer)-
The kernel thread ID, local to the process.
$Verbose(type: string)-
The audit record verbose description
$WPARkey(type: string)-
Worlload Partition key
$WPARname(type: string)-
Worlload Partition name
108.2.3. Examples
This configuration reads AIX audit logs from file and parses them with the InputType registered by xm_aixaudit.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
5
6
7
8
9
<Extension aixaudit_parser>
Module xm_aixaudit
</Extension>
<Input in>
Module im_file
File '/audit/bin*'
InputType aixaudit_parser
</input>