Collect IBM Informix logs

Supported in:

Google secops SIEM

This document explains how to ingest IBM Informix logs into Google Security Operations using the Bindplane agent.

IBM Informix is a high-performance relational database management system that provides comprehensive audit logging capabilities through its secure-auditing facility. The Audit to Syslog (ASL) functionality allows audit records to be sent to the syslog daemon for centralized log collection and SIEM integration.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or a Linux host with systemd
Network connectivity between the Bindplane agent and IBM Informix server
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Administrative access to the IBM Informix server with AAO (Audit Administrator Officer) role
IBM Informix 12.10 or later (ASL functionality was introduced in version 12.10)
Audit masks configured for the users or events you want to monitor

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

Wait for the installation to complete.
Verify the installation by running:
```
 sc query observiq-otel-collector 
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
 sudo  
systemctl  
status  
observiq-otel-collector 
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide .

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

 sudo  
nano  
/etc/bindplane-agent/config.yaml

Windows:

 notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

  receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/informix 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'YOUR_CUSTOMER_ID' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 INFORMIX 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 env 
 : 
  
 production 
  
 source 
 : 
  
 informix_audit 
 service 
 : 
  
 pipelines 
 : 
  
 logs/informix_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/informix

Replace the following placeholders:
- Receiver configuration:
  - listen_address : IP address and port to listen on:
    - 0.0.0.0:514 to listen on all interfaces on port 514 (standard syslog port)
    - Use port 1514 or higher if running as non-root user on Linux
    - Adjust port number to match your Informix syslog configuration
- Exporter configuration:
  - creds_file_path : Full path to the ingestion authentication file. Make sure that you save the downloaded Ingestion Authentication Fileas ingestion-auth.json in one of the following locations:
    - Linux: /etc/bindplane-agent/ingestion-auth.json
    - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
  - customer_id : Replace YOUR_CUSTOMER_ID with the customer ID from the previous step
  - endpoint : Regional endpoint URL:
    - US: malachiteingestion-pa.googleapis.com
    - Europe: europe-malachiteingestion-pa.googleapis.com
    - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
    - See Regional Endpoints for complete list
  - log_type : Set to INFORMIX
  - ingestion_labels : Optional labels to categorize logs (customize as needed)

Example configuration for TCP syslog

If you prefer TCP for reliable delivery, use this configuration instead:

  receivers 
 : 
  
 tcplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/informix 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'YOUR_CUSTOMER_ID' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 INFORMIX 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/informix_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 tcplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/informix

Save the configuration file

After editing, save the file:

Linux: Press Ctrl+O , then Enter , then Ctrl+X
Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

Run the following command:

 sudo  
systemctl  
restart  
observiq-otel-collector

Verify the service is running:

 sudo  
systemctl  
status  
observiq-otel-collector

Check logs for errors:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f

To restart the Bindplane agent in Windows:
1. Choose one of the following options:
  - Command Prompt or PowerShell as administrator:
```
 net stop observiq-otel-collector && net start observiq-otel-collector 
```
  - Services console:
    1. Press Win+R , type services.msc , and press Enter.
    2. Locate observIQ OpenTelemetry Collector.
    3. Right-click and select Restart.
2. Verify the service is running:
```
 sc query observiq-otel-collector 
```
3. Check logs for errors:
```
  type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" 
 
```

Configure IBM Informix syslog forwarding

Create audit masks

Before enabling auditing, you must create audit masks to define which events to audit for which users.

Connect to the IBM Informix server as a user with AAO role.
Create a default audit mask for all users to audit common database events:
```
 onaudit  
-a  
-u  
_default  
-e  
+OPDB,GRDB,CRTB,ALTB,DRTB 
```
This command creates the _default mask and audits the following events:
- OPDB: Open Database
- GRDB: Grant Database Access
- CRTB: Create Table
- ALTB: Alter Table
- DRTB: Drop Table
To enable row-level auditing for data modifications, create a mask with row-level events:
```
 onaudit  
-a  
-u  
_require  
-e  
+DLRW,INRW,UPRW,RDRW 
```
This command creates the _require mask and audits:
- DLRW: Delete Row
- INRW: Insert Row
- UPRW: Update Row
- RDRW: Read Row
Note: Row-level auditing events (DLRW, INRW, UPRW, RDRW) are only audited on tables that have the AUDIT flag set. Enable row-level auditing with onaudit -R 1 after creating the masks.

To create a mask for a specific user, replace _default with the username:

 onaudit  
-a  
-u  
username  
-e  
+OPDB,GRDB,CRTB,ALTB,DRTB,DLRW,INRW,UPRW

Verify the audit masks were created:
```
 onaudit  
-o 
```

Enable Audit to Syslog (ASL)

Enable ASL auditing and configure syslog parameters:
```
 onaudit  
-E  
on  
-F  
LOG_LOCAL0  
-I  
informix_audit  
-P  
LOG_INFO 
```
This command:
- -E on : Enables Audit to Syslog functionality
- -F LOG_LOCAL0 : Sets syslog facility to LOG_LOCAL0 (recommended for filtering)
- -I informix_audit : Sets syslog identifier to informix_audit (appears in syslog messages)
- -P LOG_INFO : Sets syslog priority to LOG_INFO
Note: Available facilities are LOG_USER (default), LOG_LOCAL0 through LOG_LOCAL7, LOG_AUTH, or LOG_AUTHPRIV. LOG_LOCAL0 through LOG_LOCAL7 are recommended for custom applications.
Enable mandatory auditing for database administrators:
```
 onaudit  
-A  
on  
-S  
on 
```
This command:
- -A on : Enables mandatory auditing for DBSA (Database Server Administrator) group
- -S on : Enables mandatory auditing for DBSSO (Database Security Officer) group
If you want to enable row-level auditing for tables with the AUDIT flag:
```
 onaudit  
-R  
 1 
 
```
This sets the ADTROWS parameter to 1, enabling selective row-level auditing.
Verify the audit configuration:
```
 onaudit  
-c 
```
The output should show:
- ADT_SYSLOG_ENABLED = 1
- ADT_SYSLOG_FACILITY = LOG_LOCAL0
- ADT_SYSLOG_IDENTIFIER = informix_audit
- ADT_SYSLOG_PRIORITY = LOG_INFO
- ADT_DBSA = 1 (if enabled)
- ADT_DBSSO = 1 (if enabled)

Configure syslog daemon to forward to Bindplane agent

The Informix ASL functionality sends audit records to the local syslog daemon. You must configure the syslog daemon to forward these messages to the Bindplane agent.

For rsyslog (most common on Linux):

Create a new rsyslog configuration file:

 sudo  
nano  
/etc/rsyslog.d/30-informix-audit.conf

Add the following configuration to forward Informix audit logs:
```
 # Forward Informix audit logs to Bindplane agent
local0.* @127.0.0.1:514 
```
If you configured a different facility in the onaudit -F command, replace local0 with your facility (for example, local1 , local2 , etc.).

If the Bindplane agent is on a different server, replace 127.0.0.1 with the Bindplane agent's IP address.

For TCP forwarding (more reliable), use @@ instead of @ :
```
 local0.* @@127.0.0.1:514 
```
Save the file and restart rsyslog:
```
 sudo  
systemctl  
restart  
rsyslog 
```
Verify rsyslog is running:
```
 sudo  
systemctl  
status  
rsyslog 
```

For syslog-ng:

Edit the syslog-ng configuration file:

 sudo  
nano  
/etc/syslog-ng/syslog-ng.conf

Add the following configuration:

 # Define destination for Bindplane agent
destination d_bindplane {
    udp("127.0.0.1" port(514));
};

# Filter for Informix audit logs
filter f_informix {
    facility(local0);
};

# Log path to forward Informix logs
log {
    source(s_src);
    filter(f_informix);
    destination(d_bindplane);
};

Save the file and restart syslog-ng:

 sudo  
systemctl  
restart  
syslog-ng

Test the configuration

Generate a test audit event by connecting to a database:
```
 dbaccess  
stores_demo 
```
Then exit the database.

Check the Bindplane agent logs to verify audit records are being received:

Linux:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f  
 | 
  
grep  
informix

Windows:

  type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" 
  
 | 
  
 findstr 
  
 informix

You can also use the onshowaudit utility to view audit records from the syslog files:
```
 onshowaudit  
-f  
/var/log/syslog  
-u  
your_username 
```
Note: The syslog daemon adds timestamp and hostname information before the Informix audit record. The Informix record begins with the server status (for example, ONLN| ) followed by pipe-delimited fields.

Audit log format

Informix audit logs sent via syslog have the following format:
```
 Jan 12 11:59:21 hostname informix_audit: ONLN|2021-01-12 18:59:21.512|hostname|31055|servername|username|0:OPDB:stores_demo:0:- 
```
The format includes:
- Syslog timestamp and hostname (added by syslog daemon)
- Syslog identifier (configured with -I option)
- Server status (ONLN = online)
- Informix timestamp
- Hostname
- Process ID
- Server name
- Username
- Event code and details (pipe-delimited)

Additional configuration options

To set syslog options:
```
 onaudit  
-O  
LOG_NDELAY,LOG_PID 
```
Available options:
- LOG_NDELAY : Open connection immediately (default)
- LOG_ODELAY : Delay opening connection (mutually exclusive with LOG_NDELAY)
- LOG_PID : Include process ID in messages
- LOG_CONS : Write to console if syslog unavailable
- LOG_PERROR : Write to stderr as well as syslog
To change the audit file path (for classic auditing):
```
 onaudit  
-p  
/path/to/audit/directory 
```
To set maximum audit file size:
```
 onaudit  
-s  
 50000000 
 
```
This sets the maximum size to 50 MB (value in bytes).
To start a new audit file manually:
```
 onaudit  
-n 
```
To set error handling mode:
```
 onaudit  
-e  
 1 
 
```

Error modes:

0 : Continue processing and log error (default)
1 : Suspend thread until audit record can be written
3 : Shut down the server

UDM mapping table

Log Field	UDM Mapping	Logic
id, dequeue_count, RequestId	about.labels	Merged with labels for 'Message Id', 'Dequeue Count', 'Request Id'
timestamp	metadata.event_timestamp	Converted using format: yyyy-MM-dd HH:mm:ss.SSS
type	metadata.event_type	Set to 'GENERIC_EVENT' if type == 'ERROR', else 'SYSTEM_AUDIT_LOG_UNCATEGORIZED'
serverName	principal.asset.asset_id	Concatenated from "PRODUCT_SPECIFIC_ID: " and serverName if type != 'ERROR'
hostName	principal.hostname	Value copied directly if type != 'ERROR'
processId	principal.process.pid	Value copied directly if type != 'ERROR'
eventOutput, eventName	principal.resource.attribute.labels	Merged with labels for 'Event Output', 'Event Name'
dbName	principal.resource.name	Value copied directly if data != ""
	principal.resource.type	Set to "DATABASE" if data != ""
userName	principal.user.userid	Value copied directly if type != 'ERROR'
errorCode, type	security_result.action	Set to 'BLOCK' if type == 'ERROR', else 'ALLOW' if errorCode == '0', else 'BLOCK'
Exception	security_result.description	Value copied directly if kv_data_1 != ""
ErrorCode	security_result.rule_name	Value copied directly if kv_data_1 != ""
description	security_result.summary	Value copied directly if description != ""
blob_name, file_name	target.file.full_path	Value from blob_name if type == 'ERROR', else file_name
	metadata.product_name	Set to "INFORMIX"
	metadata.vendor_name	Set to "IBM"

Need more help? Get answers from Community members and Google SecOps professionals.