Is there an Audit app for Solaris 8, 9, 10 and 11?

bkogami · ‎09-13-2015

Hi,

We have different version of Solaris (8, 9, 10 and 11) and we would like to take the BSM audits and ingest them into Splunk. I know there's an old version of the solaris-bsm-audit-log-loader_14 which was written in 2011 for Splunk ver4. We tried it and it doesn't work.

Does anyone have a script that will ingest these audit logs into Splunk?

Thanks,
Bruce

murhammr · ‎07-28-2017

solaris does not guarantee that audit events sent to syslog will be complete. (See https://docs.oracle.com/cd/E23824_01/html/821-1456/auditov-6.html#auditov-21 Table 26-1) the old bsm app can work with some mods but can still be problematic.

grab these py files from a full splunk install on Linux $SPLUNK_HOME/lib/python2.7/site-packages/splunk then

mkdir $BSMAPP/bin/splunk
cp __init__.py $BSMAPP/bin/splunk
cp Intersplunk.py $BSMAPP/bin/splunk

comment out this line in $BSMAPP/bin/bsmping.py

#import splunk.clilib.cli_common as comm

...but what the bsm app does is run some version of this

find ${AUDIT_LOGS_DIR} -type f | xargs /usr/sbin/auditreduce -a $STARTDATE -b $ENDDATE | /usr/sbin/praudit -x

so you can write a scripted input to do a version of this with some logic around dates.

danrand · ‎09-13-2015

There is a facility for Solaris that will allow you to merge BSM logs into syslog and you can then get them into Splunk. I know this works in 10 and 11, not sure about 9; pretty sure it does not work in 8. However BSM in Sol8 does have the capability to export the BSM logs to text so that might help.

Is there an Audit app for Solaris 8, 9, 10 and 11?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life