Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: December 2018
 
 

How to Send Audit Files to a Remote Repository

In this procedure, you use attributes of the audit_remote plugin to send the audit trail to a remote audit repository. To configure a remote repository on an Oracle Solaris system, see How to Configure a Remote Repository for Audit Files.

Before You Begin

You must have a receiver of audit files at your remote repository. You must become an administrator who is assigned the Audit Configuration rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Determine the attributes of the audit_remote plugin.

    Read the OBJECT ATTRIBUTES section of the audit_remote(5) man page.

    # man audit_remote
    
    ...
    OBJECT ATTRIBUTES
    The p_hosts attribute specifies the remote servers.
    You can also specify the port number and the GSS-API
    mechanism.
    
    The p_retries attribute specifies the number of retries for
    connecting and sending data. The default is 3.
    
    The p_timeout attribute specifies the number of seconds
    in which a connection times out.

    The default port is the solaris_audit IANA-assigned port, 16162/tcp. The default mechanism is kerberos_v5. The timeout default is 5 seconds. You can also specify a queue size for the plugin.

  2. To specify the remote receiving system, use the p_hosts attribute.

    In this example, the receiving system uses a different port.

    # auditconfig -setplugin audit_remote \
         p_hosts=ars.example.com:16088:kerberos_v5
    
  3. Specify other attributes of the plugin that you want to change.

    For example, the following command specifies values for all optional attributes:

    # auditconfig -setplugin audit_remote "p_retries=;p_timeout=3" 300
    
  4. Verify the values, then activate the plugin.

    For example, the following commands specify and verify the values of the plugin:

    # auditconfig -getplugin audit_remote
    Plugin: audit_remote (inactive)
    Attributes: p_hosts=ars.example.com:16088:kerberos_v5;p_retries=5;p_timeout=3;
    Queue size: 300
    
    # auditconfig -setplugin audit_remote active
    
  5. Refresh the audit service.

    The audit service reads the audit plugin change upon refresh.

    # audit -s
    
Example 26  Tuning the Audit Queue Buffer Size

In this example, the audit queue is full behind the audit_remote plugin. This audited system is configured to audit many classes and is transmitting across a high-traffic, slow network. The administrator enlarges the plugin's buffer size to enable the audit queue to grow and not exceed the buffer's limit before records are removed from the queue.

audsys1 # auditconfig -setplugin audit_remote "" 1000

audsys1 # audit -s