You can instruct the audit service to copy some or all of the audit records in the audit queue to the syslog utility. If you record both binary audit data and text summaries, the binary data provide a complete audit record, while the summaries filter the data for real-time review.
Before You Begin
To configure the audit_syslog plugin, you must become an administrator who is assigned the Audit Configuration rights profile. To configure the syslog utility and create the auditlog file, you must assume the root role.
$ auditconfig -setplugin audit_syslog \ active p_flags=lo,+as,-ss
# cat /etc/syslog.conf … audit.notice /var/adm/auditlog
# touch /var/adm/auditlog
# chmod 640 /var/adm/auditlog
# svcs system-log STATE STIME FMRI online 13:14:36 svc:/system/system-log:default disabled 13:13:36 svc:/system/system-log:rsyslog
# svcadm refresh system/system-log:default
The audit service reads the changes to the audit plugin upon refresh.
# audit -s
In this example, the syslog utility collects a subset of the preselected audit classes. The pf class is created in Example 11, Creating a New Audit Class.
$ auditconfig -setnaflags lo,na $ auditconfig -setflags lo,ss # usermod -K audit_flags=pf:no jdoe $ auditconfig -setplugin audit_syslog \ active p_flags=lo,+na,-ss,+pf
The arguments to the auditconfig command instruct the system to collect all login/logout, non-attributable, and change of system state audit records. The audit_syslog plugin entry instructs the syslog utility to collect all logins, successful non-attributable events, and failed changes of system state.
For the jdoe user, the binary utility collects successful and failed calls to the pfexec command. The syslog utility collects successful calls to the pfexec command.Example 25 Putting syslog Audit Records on a Remote System
You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is sys1.1. The remote system is remote1.
sys1.1 # cat /etc/syslog.conf … audit.notice @remote1
The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.
remote1 # cat /etc/syslog.conf ... audit.notice /var/adm/auditlog