Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > AIX Agent Install and Auditing in LEM

AIX Agent Install and Auditing in LEM

Table of contents

Updated: January 29, 2019, 2018


This article provides brief information and steps install and audit AIX Agent. 


All LEM versions


AIX Audit Information (Pre-install/configuration)


A list of audit events built into AIX, along with a list of predefined audit objects, can be found in the file /etc/security/audit/events.

In general, auditing events are defined at the system call level. A single operation at the command line would result in records of several events in the audit trail. For example, when viewing a file using the cat or more command, you would see the following records logged into the audit trail:


FILE_Open (file is opened)
FILE_Read (file is read)
FILE_Write (file is written to standard output)
PROC_Create (process creation for more OR cat)
PROC_Execute (command execution)
PROC_Delete (process completion)


To add further audit objects, extend the /etc/security/audit/objects file.

An audit can be started in one OR both of these modes (BIN mode or STREAM mode), but prefer to use STREAM.


In STREAM mode, the default AIX configuration provides a program to read the STREAM buffer and processes each record with the commands found in /etc/security/audit/streamcmds. These commands format the output into human-readable form and write it in /audit/stream.out. This file is NOT cumulative; it is restarted every time the audit is restarted. The STREAM audit trail can be read in real time by reading /audit/stream.out, or by sending output directly to a terminal or printer.

There are five audit subcommands for invoking auditing:

  • /usr/sbin/audit start - To activate the audit subsystem (This is the only correct way to start audit).
  • /usr/sbin/audit shutdown - To stop auditing subsystem, processing final BIN records,

       and removing the /audit/auditb file that is used as an "active" indicator by the audit modules

  • /usr/sbin/audit off - To suspend auditing temporarily.
  • /usr/sbin/audit on - To resume audit after audit off.
  • /usr/sbin/audit query - To display the status of auditing.


All auditing related configuration files reside in /etc/security/audit.

The /etc/security/audit/config file contains the key audit controls.


more /etc/security/audit/config

general = USER_SU,PASSWORD_Change,USER_Login,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,...
SRC = SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,...
kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,...
files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,...
svipc = MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,...
mail = SENDMAIL_Config,SENDMAIL_ToFile
cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,...
lvm = LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV<LVM_ReduceLV,...
root = general
joe = general,files


For additional information, see The Audit Subsystem in AIX from the IBM website. 


Agent Install and Enable Auditing steps

Agent Install:

  1. Download the AIX agent from the Solarwinds Customer Portal.
  2. Unzip Windows system, and copy the setup.bin to the AIX system (winscp is recommended).
  3. Use chmod 777 setup.bin. This will set the permissions to allow execution.
  4. Installation asks to create /usr/local/contego/ContegoSPOP/ , let it install there whenever possible.
  5. Spop.conf can be changed to point to either the IP address or hostname of the LEM.

    When changing spop.conf, be sure to restart the agent service.

Another feature of Unix Agents, is that the agent directory can be copied to other Unix servers (removing the spop directory), and then add the agent startup script to the operating system startup scripts for automated agent startups.

Configure auditing on the AIX server:

  1. vi  /etc/security/audit/config - Verify the contents below

               binmode = off   
         streammode = on

               trail = /audit/trail
               bin1 = /audit/bin1
               bin2 = /audit/bin2
               binsize = 10240
               cmds = /etc/security/audit/bincmds

               cmds = /etc/security/audit/streamcmd

  2. /usr/sbin/audit shutdown
  3. vi  /etc/security/audit/streamcmds - Insert the following line:
    /usr/sbin/auditstream | auditpr -v > /audit/stream.out &
  4. /usr/sbin/audit start

Verify logging:

  1. cat  /audit/stream.out - Shows the audits collected in the AIX file.
  2. tail -f  /audit/stream.out  - Monitors the log file real-time on the AIX server.
  3. if nothing is received:
         /usr/sbin/audit  on
         /usr/sbin/audit start
              (both commands above have a stop, shutdown, and query option)

What is received from the stream.out?
Now that you are seeing data in the stream.out, here are two items important to the connector reading log data.

  • Each event received appears as two lines of information. This is normal, and AIX connector will receive the data sent on two lines.
  • The first line can contain multiple columns. Too many columns will not allow the connector to read the log data.

The AIX connector needs to see 5 columns:
     event          login          status          time          command

The AIX connector will be unable to read more than 5 columns:
     event          real          login          status          time          command          process          parent

If you see other columns, the AIX auditing needs to be adjusted. See this IBM article dated June 28, 2011:


Last modified