All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Solaris BSM Audit log loader: How to configure a forwarder to read /var/audit/* BSM logs on OSX?

jonncallahan
Engager
‎06-06-2016 03:53 PM

Hey all.

I've got Forwarder set up on our OSX fleet with a modified BSM parsing app (link below) to parse and forward the logs in /var/audit. The problem is that BSM logs are created with root:wheel ownership. While chowning the dir works fine for all current logs, once the logs are rotated, the new file is again owned by root:wheel. Due to this, Forwarder is unable to open them. So this leaves me with a few options:

  1. Run Forwarder as a separate, privileged user in the wheel group.
  2. Add the users to the wheel group (cringe)
  3. Set a config somewhere to force all new /var/audit logs to be created with different perms.

Option 3 would be the best, but I'm unable to find anything via my google-fu on how to do this with OpenBSM. Option 2 is a no-go for obvious reasons which leaves me with option 1 as far as I can tell. Is this really the best route to go, or am I missing another (and better) approach for deploying Forwarder?

BSM log parsing Splunk app:

https://splunkbase.splunk.com/app/847/

0 Karma
Reply

MuS
Legend
‎06-06-2016 04:15 PM

Hi jonncallahan,

This is not really a Splunk problem, since Splunk is just another process running on your OSX.
I suggest starting to read here http://www.techrepublic.com/blog/apple-in-the-enterprise/introduction-to-os-x-access-control-lists-a... followed by https://derflounder.wordpress.com/2012/01/30/openbsm-auditing-on-mac-os-x/ and maybe this one https://www.scip.ch/en/?labs.20150108

If this still does not do the job, create a root cronjob that copies the needed file into a Splunk readable location and index the files from there.

Hope this helps ...

cheers, MuS

Reply

jonncallahan
Engager
‎06-06-2016 04:20 PM

You're correct: it's not technically a Splunk problem. Figured I'd ask here, though, as I can't imagine this problem hasn't already been solved by others who have to deal with OSX fleets. Regardless, I appreciate the links and a fourth option to consider.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...