System Administration Guide: Security Services

ProcedureHow to Configure syslog Audit Logs

You can instruct the audit service to copy some or all of the collected audit records in the audit queue to syslog. In the following procedure, you save binary audit data and text audit data. The collected text audit data is a subset of the binary data.

Before You Begin

You must preselect audit classes. Preselected audit classes are specified in the flags line and the naflags line of the audit_control file. You can also preselect classes for individual users in the audit_user file and dynamically add audit classes with the auditconfig command.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. (Optional) Save a backup copy of the audit_control file.

    # cp /etc/security/audit_control /etc/security/
  3. Add an plugin entry.

    ## audit_control file
    naflags:lo,na;p_dir=/var/audit; p_minfree=20;;p_flags=+lo,-ss

    A plugin entry has the following format:

    plugin:name=name; qsize=max-queued-records;p_*=value
    • name=name – Lists the name of the plugin. The valid values are and

    • qsize=max-queued-records – Specifies the maximum number of records to queue for audit data that is being sent to the plugin. This attribute is optional.

    • p_*=value – Specifies plugin-specific attributes. The plugin accepts p_flags. The plugin accepts p_dir, p_minfree and p_fsize. The p_fsize attribute was introduced in Solaris 10 10/08.

    For more information about the plugin-specific attributes, see the OBJECT ATTRIBUTES section of the audit_binfile(5) and audit_syslog(5) man pages.

  4. Add an audit.notice entry to the syslog.conf file.

    The entry includes the location of the log file.

    # cat /etc/syslog.conf
    audit.notice       /var/adm/auditlog

    Do not store text logs where the binary audit files are stored. The auditreduce command, which reads binary audit files, assumes that all files in an audit partition are binary audit files.

  5. Create the log file.

    # touch /var/adm/auditlog
  6. Refresh the configuration information for the syslog service.

    # svcadm refresh system/system-log
  7. Regularly archive the syslog log files.

    The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.

Example 30–5 Specifying Audit Classes for syslog Output

In the following example, the syslog utility collects a subset of the preselected audit classes.

## audit_user file

## audit_control file
naflags:lo,na; p_dir=/var/audit/host.1/files,
/var/audit/host.2/files,/var/audit/localhost/files; p_minfree=10; p_flags=-lo,-na,-ss,+pf

The flags and naflags entries instruct the system to collect all login/logout, nonattributable, and change of system state audit records in binary format. The plugin entry instructs the syslog utility to collect only failed logins, failed nonattributable events, and failed changes of system state. For the jdoe user, the binary audit record includes all uses of a profile-aware shell. The syslog utility collects successful profile-aware commands. The pf class is created in Example 30–10.

Example 30–6 Putting syslog Audit Records on a Remote System

You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is example1. The remote system is remote1.

example1 # cat /etc/syslog.conf
audit.notice       @remote1

The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.

remote1 # cat /etc/syslog.conf
audit.notice       /var/adm/auditlog

Example 30–7 Using Plugins in the audit_control File

The preferred method for specifying non-flags information in the audit_control file is to use the plugin entry. In this example, the audit flags are selected, then the plugin information is listed.

## audit_control file
naflags:lo,na;p_minfree=10; p_dir=/var/audit; p_flags=+lo