Hi,
We have different version of Solaris (8, 9, 10 and 11) and we would like to take the BSM audits and ingest them into Splunk. I know there's an old version of the solaris-bsm-audit-log-loader_14 which was written in 2011 for Splunk ver4. We tried it and it doesn't work.
Does anyone have a script that will ingest these audit logs into Splunk?
Thanks,
Bruce
solaris does not guarantee that audit events sent to syslog will be complete. (See https://docs.oracle.com/cd/E23824_01/html/821-1456/auditov-6.html#auditov-21 Table 26-1) the old bsm app can work with some mods but can still be problematic.
grab these py files from a full splunk install on Linux $SPLUNK_HOME/lib/python2.7/site-packages/splunk then
mkdir $BSMAPP/bin/splunk
cp __init__.py $BSMAPP/bin/splunk
cp Intersplunk.py $BSMAPP/bin/splunk
comment out this line in $BSMAPP/bin/bsmping.py
#import splunk.clilib.cli_common as comm
...but what the bsm app does is run some version of this
find ${AUDIT_LOGS_DIR} -type f | xargs /usr/sbin/auditreduce -a $STARTDATE -b $ENDDATE | /usr/sbin/praudit -x
so you can write a scripted input to do a version of this with some logic around dates.
There is a facility for Solaris that will allow you to merge BSM logs into syslog and you can then get them into Splunk. I know this works in 10 and 11, not sure about 9; pretty sure it does not work in 8. However BSM in Sol8 does have the capability to export the BSM logs to text so that might help.