JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
man pages section 5: Standards, Environments, and Macros     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Introduction

Standards, Environments, and Macros

acl(5)

ad(5)

advance(5)

adv_cap_1000fdx(5)

adv_cap_1000hdx(5)

adv_cap_100fdx(5)

adv_cap_100hdx(5)

adv_cap_10fdx(5)

adv_cap_10hdx(5)

adv_cap_asym_pause(5)

adv_cap_autoneg(5)

adv_cap_pause(5)

adv_rem_fault(5)

ANSI(5)

architecture(5)

ars(5)

ascii(5)

attributes(5)

audit_binfile(5)

audit_flags(5)

audit_remote(5)

audit_syslog(5)

availability(5)

brands(5)

C++(5)

C(5)

cancellation(5)

cap_1000fdx(5)

cap_1000hdx(5)

cap_100fdx(5)

cap_100hdx(5)

cap_10fdx(5)

cap_10hdx(5)

cap_asym_pause(5)

cap_autoneg(5)

cap_pause(5)

cap_rem_fault(5)

charmap(5)

compile(5)

condition(5)

crypt_bsdbf(5)

crypt_bsdmd5(5)

crypt_sha256(5)

crypt_sha512(5)

crypt_sunmd5(5)

crypt_unix(5)

CSI(5)

datasets(5)

device_clean(5)

dhcp(5)

dhcp_modules(5)

environ(5)

eqnchar(5)

extendedFILE(5)

extensions(5)

fedfs(5)

filesystem(5)

fmri(5)

fnmatch(5)

formats(5)

fsattr(5)

grub(5)

gss_auth_rules(5)

hal(5)

iconv_1250(5)

iconv_1251(5)

iconv(5)

iconv_646(5)

iconv_852(5)

iconv_8859-1(5)

iconv_8859-2(5)

iconv_8859-5(5)

iconv_dhn(5)

iconv_koi8-r(5)

iconv_mac_cyr(5)

iconv_maz(5)

iconv_pc_cyr(5)

iconv_unicode(5)

ieee802.11(5)

ieee802.3(5)

ipfilter(5)

ipkg(5)

isalist(5)

ISO(5)

kerberos(5)

krb5_auth_rules(5)

krb5envvar(5)

KSSL(5)

kssl(5)

labels(5)

largefile(5)

ldap(5)

lf64(5)

lfcompile(5)

lfcompile64(5)

link_duplex(5)

link_rx_pause(5)

link_tx_pause(5)

link_up(5)

locale(5)

locale_alias(5)

lp_cap_1000fdx(5)

lp_cap_1000hdx(5)

lp_cap_100fdx(5)

lp_cap_100hdx(5)

lp_cap_10fdx(5)

lp_cap_10hdx(5)

lp_cap_asym_pause(5)

lp_cap_autoneg(5)

lp_cap_pause(5)

lp_rem_fault(5)

man(5)

mansun(5)

me(5)

mech_spnego(5)

mm(5)

ms(5)

MT-Level(5)

mutex(5)

MWAC(5)

mwac(5)

nfssec(5)

NIS+(5)

NIS(5)

nis(5)

nwam(5)

openssl(5)

pam_allow(5)

pam_authtok_check(5)

pam_authtok_get(5)

pam_authtok_store(5)

pam_deny(5)

pam_dhkeys(5)

pam_dial_auth(5)

pam_krb5(5)

pam_krb5_migrate(5)

pam_ldap(5)

pam_list(5)

pam_passwd_auth(5)

pam_pkcs11(5)

pam_rhosts_auth(5)

pam_roles(5)

pam_sample(5)

pam_smbfs_login(5)

pam_smb_passwd(5)

pam_tsol_account(5)

pam_tty_tickets(5)

pam_unix_account(5)

pam_unix_auth(5)

pam_unix_cred(5)

pam_unix_session(5)

pam_user_policy(5)

pam_zfs_key(5)

pkcs11_kernel(5)

pkcs11_kms(5)

pkcs11_softtoken(5)

pkcs11_tpm(5)

pkg(5)

POSIX.1(5)

POSIX.2(5)

POSIX(5)

privileges(5)

prof(5)

pthreads(5)

RBAC(5)

rbac(5)

regex(5)

regexp(5)

resource_controls(5)

sgml(5)

smf(5)

smf_bootstrap(5)

smf_method(5)

smf_restarter(5)

smf_security(5)

smf_template(5)

solaris10(5)

solaris(5)

solbook(5)

stability(5)

standard(5)

standards(5)

step(5)

sticky(5)

suri(5)

SUS(5)

SUSv2(5)

SUSv3(5)

SVID3(5)

SVID(5)

tecla(5)

teclarc(5)

term(5)

threads(5)

trusted_extensions(5)

vgrindefs(5)

wbem(5)

xcvr_addr(5)

xcvr_id(5)

xcvr_inuse(5)

XNS4(5)

XNS(5)

XNS5(5)

XPG3(5)

XPG4(5)

XPG4v2(5)

XPG(5)

zones(5)

audit_syslog

- realtime conversion of Solaris audit data to syslog messages

Synopsis

/usr/lib/security/audit_syslog.so

Description

The audit_syslog plugin module for Solaris audit, /usr/lib/security/audit_syslog.so, provides realtime conversion of Solaris audit data to syslog-formatted (text) data and sends it to a syslog daemon as configured in syslog.conf(4). The plugin's path is specified with the auditconfig(1M) utility.

Messages to syslog are written if the plugin is configured as an active via auditconfig. Use the auditconfig -setplugin option to change all the plugin related configuration parameters. Syslog messages are generated with the facility code of LOG_AUDIT (audit in syslog.conf(4)) and severity of LOG_NOTICE. Audit syslog messages contain data selected from the tokens described for the binary audit log. (See audit.log(4)). As with all syslog messages, each line in a syslog file consists of two parts, a syslog header and a message.

The syslog header contains the date and time the message was generated, the host name from which it was sent, auditd to indicate that it was generated by the audit daemon, an ID field used internally by syslogd, and audit.notice indicating the syslog facility and severity values. The syslog header ends with the characters ], that is, a closing square bracket and a space.

The message part starts with the event type from the header token. All subsequent data appears only if contained in the original audit record and there is room in the 1024-byte maximum length syslog line. In the following example, the backslash (\) indicates a continuation; actual syslog messages are contained on one line:

Oct 31 11:38:08 smothers auditd: [ID 917521 audit.notice] chdir(2) ok\
session 401 by joeuser as root:other from myultra obj /export/home

In the preceding example, chdir(2) is the event type. Following this field is additional data, described below. This data is omitted if it is not contained in the source audit record.

ok or failed

Comes from the return or exit token.

session <#>

<#> is the session ID from the subject token.

by <name>

<name> is the audit ID from the subject token.

as <name>:<group>

<name> is the effective user ID and <group> is the effective group ID from the subject token.

in <zone name>

The zone name. This field is generated only if the zonename audit policy is set.

from <terminal>

<terminal> is the text machine address from the subject token.

obj <path>

<path> is the path from the path token The path can be truncated from the left if necessary to fit it on the line. Truncation is indicated by leading ellipsis (...).

proc_uid <owner>

<owner> is the effective user ID of the process owner.

proc_auid <owner>

<owner> is the audit ID of the process owner.

The following are example syslog messages:

Nov  4  8:27:07 smothers auditd: [ID 175219 audit.notice] 
\system booted

Nov  4  9:28:17 smothers auditd: [ID 752191 audit.notice] \
login - rlogin ok session 401 by joeuser as joeuser:staff from myultra

Nov  4 10:29:27 smothers auditd: [ID 521917 audit.notice] \
access(2) ok session 255 by janeuser as janeuser:staff from  \
129.146.89.30 obj /etc/passwd

Object Attributes

The p_flag attribute is used to further filter audit data being sent to the syslog daemon beyond the classes specified through the flags and naflags (see auditconfig(1M)) and through the user-specific lines of user_attr(4). The parameter is a comma-separated list; each item represents an audit class (see audit_class(4)) and is specified using the syntax described in audit_flags(5). The default (empty p_flags listed) is that no audit records are generated.

Examples

Example 1 One Use of the plugin Line

In the specification shown below, the plugin (in conjunction with setting flags and naflags) is used to allow class records for lo but allows class records for am for failures only. Omission of the fm class records results in no fm class records being output. The pc parameter has no effect because you cannot add classes to those defined by means of flags and naflags and by user_attr(4). You can only remove them.

auditconfig -setflags lo,am,fm
auditconfig -setnaflags lo
auditconfig -setplugin audit_syslog active "p_flags=lo,-am,pc"

Example 2 Use of all

In the specification shown below, with one exception, all allows all flags defined by means of flags and naflags (and user_attr(4)). The exception the am metaclass, which is equivalent to ss,as,ua, which is modified to output all ua events but only failure events for ss and as.

auditconfig -setflags lo,am
auditconfig -setnaflags lo
auditconfig -setplugin audit_syslog active "p_flags=all,^+ss,^+as"

Attributes

See attributes(5) for a description of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
MT Level
MT-Safe
Interface Stability
See below.

The message format and message content are Uncommitted. The configuration parameters are Committed.

See Also

auditconfig(1M), auditd(1M), audit_class(4), syslog.conf(4), user_attr(4), attributes(5), audit_flags(5)

Oracle Solaris 11.1 Administration: Security Services

Notes

Activating the audit_syslog plugin requires that /etc/syslog.conf is configured to store syslog messages of facility audit and severity notice or above in a file intended for Solaris audit records. An example of such a line in syslog.conf is:

audit.notice                /var/audit/audit.log

Messages from syslog are sent to remote syslog servers by means of UDP, which does not guarantee delivery or ensure the correct order of arrival of messages.

If the parameters specified for the plugin line result in no classes being preselected, an error is reported by means of a syslog alert with the LOG_DAEMON facility code.

The time field in the syslog header is generated by syslog(3C) and only approximates the time given in the binary audit log. Normally the time field shows the same whole second or at most a few seconds difference.