In this procedure, you use attributes of the audit_remote plugin to send the audit trail to a remote audit repository. To configure a remote repository on an Oracle Solaris system, see How to Configure a Remote Repository for Audit Files.
Before You Begin
You must have a receiver of audit files at your remote repository. You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
Read the OBJECT ATTRIBUTES section of the audit_remote(5) man page.
# man audit_remote ... OBJECT ATTRIBUTES The p_hosts attribute specifies the remote servers. You can also specify the port number and the GSS-API mechanism. The p_retries attribute specifies the number of retries for connecting and sending data. The default is 3. The p_timeout attribute specifies the number of seconds in which a connection times out.
The default port is the solaris_audit IANA-assigned port, 16162/tcp. The default mechanism is kerberos_v5. The timeout default is 5 seconds. You can also specify a queue size for the plugin.
In this example, the receiving system uses a different port.
# auditconfig -setplugin audit_remote \ p_hosts=ars.example.com:16088:kerberos_v5
For example, the following command specifies values for all optional attributes:
# auditconfig -setplugin audit_remote "p_retries=;p_timeout=3" 300
For example, the following commands specify and verify the values of the plugin:
# auditconfig -getplugin audit_remote Plugin: audit_remote (inactive) Attributes: p_hosts=ars.example.com:16088:kerberos_v5;p_retries=5;p_timeout=3; Queue size: 300 # auditconfig -setplugin audit_remote active
The audit service reads the audit plugin change upon refresh.
# audit -s
In this example, the audit queue is full behind the audit_remote plugin. This audited system is configured to audit many classes and is transmitting across a high-traffic, slow network. The administrator enlarges the plugin's buffer size to enable the audit queue to grow and not exceed the buffer's limit before records are removed from the queue.
audsys1 # auditconfig -setplugin audit_remote "" 1000 audsys1 # audit -s