All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there an Audit app for Solaris 8, 9, 10 and 11?

bkogami
Explorer
‎09-13-2015 02:04 PM

Hi,

We have different version of Solaris (8, 9, 10 and 11) and we would like to take the BSM audits and ingest them into Splunk. I know there's an old version of the solaris-bsm-audit-log-loader_14 which was written in 2011 for Splunk ver4. We tried it and it doesn't work.

Does anyone have a script that will ingest these audit logs into Splunk?

Thanks,
Bruce

Tags (2)
Reply

murhammr
Path Finder
‎07-28-2017 03:11 PM

solaris does not guarantee that audit events sent to syslog will be complete. (See https://docs.oracle.com/cd/E23824_01/html/821-1456/auditov-6.html#auditov-21 Table 26-1) the old bsm app can work with some mods but can still be problematic.

grab these py files from a full splunk install on Linux $SPLUNK_HOME/lib/python2.7/site-packages/splunk then 

mkdir $BSMAPP/bin/splunk
cp __init__.py $BSMAPP/bin/splunk
cp Intersplunk.py $BSMAPP/bin/splunk

comment out this line in $BSMAPP/bin/bsmping.py

#import splunk.clilib.cli_common as comm

...but what the bsm app does is run some version of this

find ${AUDIT_LOGS_DIR} -type f | xargs /usr/sbin/auditreduce -a $STARTDATE -b $ENDDATE | /usr/sbin/praudit -x

so you can write a scripted input to do a version of this with some logic around dates.

Reply

danrand
Explorer
‎09-13-2015 08:05 PM

There is a facility for Solaris that will allow you to merge BSM logs into syslog and you can then get them into Splunk. I know this works in 10 and 11, not sure about 9; pretty sure it does not work in 8. However BSM in Sol8 does have the capability to export the BSM logs to text so that might help.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...