Skip to Main Content
IBM Power Ideas Portal


This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Delivered
Workspace AIX
Created by Guest
Created on Feb 13, 2017

auditpr -v enhancement

Issue: When using the command auditpr –v, each event is output as two distinct lines. The first line contains the audit event, time, user, command, etc. The second line contains critical trail details about the event. This two line format prevents automated real-time log monitoring software applications like “Splunk” or “Snare” from processing and identifying multiple lines as a single audit event. This issue is further compounded when using centralized loghosts to receive and analyze auditpr output from hundreds of AIX lpars that are each sending two lines of text for each single audit events one line at a time. This issue could easily be solved by outputting a complete audit event and trail as a single line. However, auditpr currently provides no way to output auditstream audit events as a single line which includes the trail of each record of an event.
Example two line output from auditpr for one single FILE_Open event:
FILE_Open user1 OK Wed Feb 10 12:15:45 2016 sshd Global
flags: 67108864 mode: 0 fd: 5 filename /MTI/nmon.server.csv

In researching this issue, it was found that based on text in this developerworks article describing building a script to post-process audit data for a report:
http://www.ibm.com/developerworks/aix/library/au-audit_filter/
IBM was clearly aware that to create a meaningful audit event record, the first line and second line need to be joined as a single record.

However, due to the high volume of audit data being generated, processing the auditpr data with shell scripts in real time is not a viable option for our environment.

Design Change Request: Requesting that IBM enhance the auditpr command to include an option for auditpr to output a single audit event including the trail data as a single line of output. Additionally, provide the option to specify a delimiter character separating fields in the audit event.

Example of the above two line audit event as a single line using ‘|' as a delimiter:
FILE_Open |user1|OK|Wed Feb 10 12:15:45 2016|sshd|Global|flags: 67108864|mode: 0|fd: 5|filename /MTI/nmon.server.csv

Idea priority High
  • Guest
    Reply
    |
    May 30, 2018

    Tony, Can you please send me an email xqin@us.ibm.com
    I can direct you where to download the ifix for AIX71 TL4 SP5.

  • Guest
    Reply
    |
    May 30, 2018

    looking into providing ifix for AIX 71 TL4 SP5.

  • Guest
    Reply
    |
    May 23, 2018

    Good Day... The client US DoJ will be running on AIX 7.1 TL04 SP05 for another year, they NEED this RFE to applied to AIX 7.1 TL04 SP05 . They can not upgrade to AIX 7.1 TL05. The customer is upset and requesting update. Please assist!

  • Guest
    Reply
    |
    May 10, 2018

    Good Day. The customer is need the fix for AIX 7.1 TL4 SP5. They will be running at the oslevel for the next year. What is the APAR#? Can the fix be requested via AIX Support? This is becoming an mission critical issue for the customer. Thanks in advance.

  • Guest
    Reply
    |
    Apr 24, 2018

    The customer US DoJ will be running on AIX 7.1 TL04 SP05 for about another year - so they need this RFE applied to
    that level of the OS - and not to AIX 7.1 TL05. What is the APAR # and can it be backported to AIX 7.1 TL04 SP05.
    Thanks.

  • Guest
    Reply
    |
    Apr 16, 2018

    The U.S. DoJ customer has come back and indicated that they need this very same enhancement made to the AIX 7.1 TL04 level of the OS. Due to stringent upgrade considerations, they will not be able to upgrade to TL05 (where the enhancement has already been implemented) until very late in 2018 or early 2019 timeframe. Therefore, the customer is requesting that the "auditpr -v enhancement" RFE now also be implemented within the AIX 7.1 TL04 level of the OS. I can be contacted at 301-915-5194 (Jim Monroe - IBM Federal)

  • Guest
    Reply
    |
    Apr 5, 2018

    included in AIX 72 TL2 and AIX 71 TL5

  • Guest
    Reply
    |
    Apr 5, 2018

    This was scheduled to release in the Fall of 2017. Can we please get a status on this request?

  • Guest
    Reply
    |
    Mar 27, 2018

    Good Day... The customer is requesting update status. The ETA has passed with no update to the customer. Please provide next step.

  • Guest
    Reply
    |
    Feb 6, 2018

    AIX 2017 fall has come and gone and the enhancement has not been made available. Customer is asking for a new ETA.

  • Guest
    Reply
    |
    Jun 13, 2017

    The enhancement to print one audit event in single line with -v will be delivered in the AIX 2017 fall release.

  • Guest
    Reply
    |
    May 21, 2017

    Note that providing a delimiter character may misinterpret the audit log, since there is no restriction on the output of the audit trail . Therefore, only providing an option for auditpr to output a single audit event including the trail data as a single line of output will be considered.

  • Guest
    Reply
    |
    Apr 18, 2017

    This RFE's Headline was changed after submission to reflect the headline of an internal request we were already considering, but will now track here.

  • Guest
    Reply
    |
    Apr 18, 2017

    The change is being considered for 2017 release update