Remote Audit Log

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

In addition to recording audit events in the binary audit log, the Solaris releases enable you to record audit events to syslog.

The generation of syslog data allows you to use the same management and analysis tools that are available for syslog messages from a variety of Solaris and non-Solaris environments, including workstation, servers, firewalls, and routers. By using syslog.conf to route audit messages to remote storage, you protect log data from alteration or deletion by an attacker. However, the syslog option provides only a summary of audit record data. Also, when syslog data is stored on a remote system, the data is susceptible to network attacks such as denial of service and false or “spoofed” source addresses.

For further information, see Chapter 27, “Solaris Auditing (Overview)” and “Audit Files” in the System Administration Guide: Security Services.

See also the following man pages:

• audit(1M)

• audit.log(4)

• audit_control(4)

• audit_syslog(5)

• syslog(3C)

• syslog.conf(4)