Welcome to our first post in the series of configuration instructions in enabling monitored systems to send system logs to a central logging server.
This configuration instruction contains the following information for configuring an IBM AIX event source. The tested platform is based on IBM AIX version 4.x and 5.x (Security and Authentication messages only).
By default, an AIX system will not do syslog processing. For a strange reason, the default install on an AIX will not place entries in /etc/syslog.conf, leaving a total userless syslogd.
To configure IBM AIX:
1. Login to IBM AIX server.
2. Open the /etc/syslog.conf file in a text editor (i.e. vi – our favorite)
3. Add the following lines, where xxx.xxx.xxx.xxx is the address for the log collector server (i.e. our log collector is 192.168.0.10)
auth.debug | @192.168.0.10 |
daemon.debug | @192.168.0.10 |
kern.debug | @192.168.0.10 |
user.debug | @192.168.0.10 |
NOTE: Changing these lines causes the server to log all messages of debug level and higher to the log collector server.
4. Save the file. Close the text editor.
5. Run the following command to restart the syslogd daemon.
refresh -s syslogd
IMPORTANT: Do not use the -n flag when starting the syslogd daemon. This flag suppresses logging of priority and facility information for each log message, and will cause any log analysis system to not be able to recognize AIX messages.
Of course the most important part is to check if the logs are generated and sent to the log collector. Once you see the logs collected, then that is it for configuring the AIX server.
Watch out for the next topic in our series as we list the instruction for another type of server/device.
Oscar Bravo Jr.
CISSP, CISA, CCDP, CCNP, CCEE, CCSE, MCSE, MCITP, RSASE
Senior Consultant, Security Solutions Services