Archive

Is there an Audit app for Solaris 8, 9, 10 and 11?

Explorer

Hi,

We have different version of Solaris (8, 9, 10 and 11) and we would like to take the BSM audits and ingest them into Splunk. I know there's an old version of the solaris-bsm-audit-log-loader_14 which was written in 2011 for Splunk ver4. We tried it and it doesn't work.

Does anyone have a script that will ingest these audit logs into Splunk?

Thanks,
Bruce

Tags (2)

Path Finder

solaris does not guarantee that audit events sent to syslog will be complete. (See https://docs.oracle.com/cd/E23824_01/html/821-1456/auditov-6.html#auditov-21 Table 26-1) the old bsm app can work with some mods but can still be problematic.

grab these py files from a full splunk install on Linux $SPLUNK_HOME/lib/python2.7/site-packages/splunk then

mkdir $BSMAPP/bin/splunk
cp __init__.py $BSMAPP/bin/splunk
cp Intersplunk.py $BSMAPP/bin/splunk

comment out this line in $BSMAPP/bin/bsmping.py

#import splunk.clilib.cli_common as comm

...but what the bsm app does is run some version of this

find ${AUDIT_LOGS_DIR} -type f | xargs /usr/sbin/auditreduce -a $STARTDATE -b $ENDDATE | /usr/sbin/praudit -x

so you can write a scripted input to do a version of this with some logic around dates.

0 Karma

Explorer

There is a facility for Solaris that will allow you to merge BSM logs into syslog and you can then get them into Splunk. I know this works in 10 and 11, not sure about 9; pretty sure it does not work in 8. However BSM in Sol8 does have the capability to export the BSM logs to text so that might help.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!