Dear All,

I have one of my Servers, running Solaris 9. I wanna enable the Audit log enabling, the way I did in Solaris 10 Servers.

After running, the bsmconv script, giving the reboots, modifying all the audit files in /etc/security, the audit is enabled, but the audit file which shall be updating in human readable format, its missing.

The /var/adm/messages show the following error.

syslogd: line 47: unknown facility name "audit"

Now, this must be because of the following entry in syslog.conf which is not supported by Solaris 9.
audit.notice /var/adm/auditlog

Please tell me, what do I need to do on my Solaris 9 box, which will show me the audit logs in readable format, because enabling audit logs but not being able to read them, makes no sense to anyone.

Thanks for your help!

Regards
Sumeet

Use praudit on /var/audit/* files.

Hi bartus11

Thanks for your reply.
Yes, that command is there to read the audit files, not what I wanted here.

For example: (Solaris 10)

In /etc/syslog.conf, I have made an entry for /var/adm/auditlog

********************************
<hostname>:/var/audit# cat /etc/syslog.conf| tail -1
audit.notice /var/adm/auditlog
*********************************

# cat /var/adm/auditlog | more
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/sbin/sh
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/cat
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15643 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>

And since with Solaris 9 when I am making a similar entry in syslog.conf, its not working, What am I supposed to do to to get a file similar to the auditlog file as shown in the example above.

Thanks a lot for your reply in advance.

Regards
Sumeet

The man page for syslog.conf should help you.

And remember to use tabs and not spaces in your syslog.conf file.