Return to

108.2. AIX Auditing (xm_aixaudit)

This module parses events in the AIX Audit format. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_aixaudit, which reads audit events directly from the kernel—it is recommended instead in cases where NXLog is running as a local agent on the system.

108.2.1. Configuration

The xm_aixaudit module accepts only the common module directives.

108.2.2. Fields

The following fields are used by xm_aixaudit.

$raw_event (type: string)

A list of event fields in key-value pairs.

$Command (type: string)

The command executed.

$EventTime (type: datetime)

The timestamp of the event.

$EventType (type: string)

The type of event (for example, login).

$Login (type: string)

Login name

$LoginUID (type: integer)

Login UID

$ParentPID (type: integer)

The parent process ID (PID).

$PID (type: integer)

The process ID (PID).

$Real (type: string)

Real user name

$RealUID (type: integer)

Real user ID

$Status (type: integer)

The status ID of the event.

$Thread (type: integer)

The kernel thread ID, local to the process.

$Verbose (type: string)

The audit record verbose description

$WPARkey (type: string)

Worlload Partition key

$WPARname (type: string)

Worlload Partition name

108.2.3. Examples

Example 483. Parsing AIX Audit Events

This configuration reads AIX audit logs from file and parses them with the InputType registered by xm_aixaudit.

nxlog.conf [Download file]
<Extension aixaudit_parser>
    Module      xm_aixaudit

<Input in>
    Module      im_file
    File        '/audit/bin*'
    InputType   aixaudit_parser