Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Enabling Solaris Audit log: Solaris 9
Operating Systems Solaris Enabling Solaris Audit log: Solaris 9 Post 302755987 by sumeet1806 on Tuesday 15th of January 2013 01:01:25 AM
Old 01-15-2013
Hi bartus11

Thanks for your reply.
Yes, that command is there to read the audit files, not what I wanted here.

For example: (Solaris 10)

In /etc/syslog.conf, I have made an entry for /var/adm/auditlog

********************************
<hostname>:/var/audit# cat /etc/syslog.conf| tail -1
audit.notice /var/adm/auditlog
*********************************

# cat /var/adm/auditlog | more
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/sbin/sh
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/cat
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15643 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>

And since with Solaris 9 when I am making a similar entry in syslog.conf, its not working, What am I supposed to do to to get a file similar to the auditlog file as shown in the example above.

Thanks a lot for your reply in advance.

Regards
Sumeet
 

10 More Discussions You Might Find Interesting

1. Cybersecurity

Enabling C2 audit

hey guys, im going to enable C2 auditing on a sun box, i know how to do it, but im just wondering if there are any issues or problems that i may run into. this will be my first major change (since i have to reset the box) since i joined this company and i dont really wanna kill their servers, so... (2 Replies)
Discussion started by: roguekitton
2 Replies

2. Solaris

Solaris BSM audit log

I got a lot of this message in my /var/audit log how can I exclude this message? header,127,2,invalid event number,fe,hostsol1.com.sg,2007-12-21 00:10:01.001 +08:00,argument,1,0x5,processor ID,argument ,2,0x3,flag,text,P_STATUS,subject,zhang1,root,root,root,root,18228,576129155,291 131094... (1 Reply)
Discussion started by: geoffry
1 Replies

3. Solaris

audit in solaris

How do I know that audit is enabled in soalris. in AIX 'audit query' command gives me the info whether auditing is on or not. Raghav (1 Reply)
Discussion started by: raghavender_sri
1 Replies

4. Solaris

audit in solaris 10

can you please share what you use to audit what files are deleted, when files are deleted and who deleted them? thx (1 Reply)
Discussion started by: melanie_pfefer
1 Replies

5. Solaris

Audit in Solaris Servers.

Hi Friends I am a Solaries newbie and I am looking out for a software or command or config that can capture all commands run by all users on a server on a daily basis. I believe that this Audit is being done in almost all enterprises and would like to know how the same is done there. Any... (3 Replies)
Discussion started by: Hari_Ganesh
3 Replies

6. Solaris

Cron audit problem in Solaris 8

cron audit problem. job failed I’m getting problem with crontab in Solaris 8 Crontab stop and is not running for all the cron jobs under cat /var/cron/log > CMD: /var/sh/go.sh > root 24835 c Sun Sep 26 08:06:00 2010 < root 24835 c Sun Sep 26 08:06:00 2010 rc=1 ! cron audit problem.... (5 Replies)
Discussion started by: Mr.AIX
5 Replies

7. Solaris

Enabling TFTP in Solaris 10

Hi, I was trying to enable TFTP on my Solaris 10. I started with un-commenting the tftp line in /etc/inetd.conf and inetconv -i /etc/inetd.conf for tftp installation. I did reboot the server afterwards, but i still cannot find the /tftpboot directory. though the return of svcs -a | grep -i tftp... (0 Replies)
Discussion started by: A.Salama
0 Replies

8. Solaris

How to view audit logs in Solaris?

Does anyone know if there is software written to view the audit logs generated by Solaris? I am referring the the logs created by auditd. It produces an unreadable log. I am familiar with auditreduce and praudit, but I am looking for something that produces a report, much like logwatch looks at the... (4 Replies)
Discussion started by: brownwrap
4 Replies

9. Solaris

Enabling SFTP log on Solaris

Hi Guys, Hope you can shed the light to this issue. I have enabled SFTP logging on Linux this way and it works: But trying this on Solaris it wont work, the ssh goes to maintenance in when checking with svcs. The logs said a syntax error it doesn't recognize "-l" (3 Replies)
Discussion started by: batas
3 Replies

10. Solaris

Audit not working on Solaris 10

hi, I enabled bsm modules (/etc/security/bsmconv) and rebooted Solaris 10. But service is going into maintenance state. I rebooted server and I see one error saying "sys/c2audit:audit_kssl() not defined properly". I am not sure, what it is indicating and how it should be fixed. Please suggest, how... (5 Replies)
Discussion started by: solaris_1977
5 Replies

LEARN ABOUT CENTOS

augenrules

AUGENRULES:(8)						  System Administration Utilities					    AUGENRULES:(8)

NAME

       augenrules - a script that merges component audit rule files

SYNOPSIS

       augenrules [--check] [--load]

DESCRIPTION

       augenrules  is  a  script  that merges all component audit rules files, found in the audit rules directory, /etc/audit/rules.d, placing the
       merged file in /etc/audit/audit.rules. Component audit rule files, must end in .rules  in  order  to  be  processed.  All  other  files	in
       /etc/audit/rules.d are ignored.

       The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines.

       The  last  processed  -D  directive without an option, if present, is always emitted as the first line in the resultant file. Those with an
       option are replicated in place.	The last processed -b directive, if present, is always emitted as the second line in the  resultant  file.
       The  last  processed -f directive, if present, is always emitted as the third line in the resultant file.  The last processed -e directive,
       if present, is always emitted as the last line in the resultant file.

       The generated file is only copied to /etc/audit/rules.d, if it differs.

OPTIONS

       --check
	      test if rules have changed and need updating without overwriting audit.rules.

       --load load old or newly built rules into the kernel.

FILES

       /etc/audit/rules.d/ /etc/audit/audit.rules

SEE ALSO

       audit.rules(8), auditctl(8), auditd(8).

Red Hat 							     Apr 2013							    AUGENRULES:(8)
All times are GMT -4. The time now is 08:46 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy