1audit_syslog(5)       Standards, Environments, and Macros      audit_syslog(5)
2
3
4

NAME

6       audit_syslog - realtime conversion of Solaris audit data to syslog mes‐
7       sages
8

SYNOPSIS

10       /usr/lib/security/audit_syslog.so
11
12

DESCRIPTION

14       The  audit_syslog  plugin  module  for  Solaris  audit,  /usr/lib/secu‐
15       rity/audit_syslog.so,  provides  realtime  conversion  of Solaris audit
16       data to syslog-formatted (text) data and sends it to a syslog daemon as
17       configured  in  syslog.conf(4).  The  plugin's path is specified in the
18       audit configuration file, audit_control(4).
19
20
21       Messages to syslog are written if selected via  the  plugin  option  in
22       audit_control.  Syslog messages are generated with the facility code of
23       LOG_AUDIT (audit in syslog.conf(4)) and severity of  LOG_NOTICE.  Audit
24       syslog messages contain data selected from the tokens described for the
25       binary audit log. (See audit.log(4)). As with all syslog messages, each
26       line in a syslog file consists of two parts, a syslog header and a mes‐
27       sage.
28
29
30       The syslog header contains the date and time the message was generated,
31       the  host  name  from which it was sent, auditd to indicate that it was
32       generated by the audit daemon, an ID field used internally by  syslogd,
33       and  audit.notice  indicating  the syslog facility and severity values.
34       The syslog header ends with the characters ], that is, a closing square
35       bracket and a space.
36
37
38       The  message part starts with the event type from the header token. All
39       subsequent data appears only if contained in the original audit  record
40       and  there  is room in the 1024-byte maximum length syslog line. In the
41       following example, the backslash (\) indicates a  continuation;  actual
42       syslog messages are contained on one line:
43
44         Oct 31 11:38:08 smothers auditd: [ID 917521 audit.notice] chdir(2) ok\
45         session 401 by joeuser as root:other from myultra obj /export/home
46
47
48
49
50       In  the  preceding  example, chdir(2) is the event type. Following this
51       field is additional data, described below. This data is omitted  if  it
52       is not contained in the source audit record.
53
54       ok or failed         Comes from the return or exit token.
55
56
57       session <#>          <#> is the session ID from the subject token.
58
59
60       by <name>            <name> is the audit ID from the subject token.
61
62
63       as <name>:<group>    <name> is the effective user ID and <group> is the
64                            effective group ID from the subject token.
65
66
67       in <zone name>       The zone name. This field is generated only if the
68                            zonename audit policy is set.
69
70
71       from <terminal>      <terminal>  is  the  text machine address from the
72                            subject token.
73
74
75       obj <path>           <path> is the path from the path  token  The  path
76                            can be truncated from the left if necessary to fit
77                            it on the line. Truncation is indicated by leading
78                            ellipsis (...).
79
80
81       proc_uid <owner>     <owner>  is  the  effective user ID of the process
82                            owner.
83
84
85       proc_auid <owner>    <owner> is the audit ID of the process owner.
86
87
88
89       The following are example syslog messages:
90
91         Nov  4  8:27:07 smothers auditd: [ID 175219 audit.notice] \
92         system booted
93
94         Nov  4  9:28:17 smothers auditd: [ID 752191 audit.notice] \
95         login - rlogin ok session 401 by joeuser as joeuser:staff from myultra
96
97         Nov  4 10:29:27 smothers auditd: [ID 521917 audit.notice] \
98         access(2) ok session 255 by janeuser as janeuser:staff from  \
99         129.146.89.30 obj /etc/passwd
100
101
102

OBJECT ATTRIBUTES

104       The p_flag attribute, specified by means of the plugin  directive  (see
105       audit_control(4)),  is  used to further filter audit data being sent to
106       the syslog daemon beyond the classes specified through  the  flags  and
107       naflags  lines  of audit_control and through the user-specific lines of
108       audit_user(4). The parameter is a comma-separated list; each item  rep‐
109       resents  an audit class (see audit_class(4)) and is specified using the
110       same syntax used in audit_control for the flags and naflags lines.  The
111       default (no p_flags listed) is that no audit records are generated.
112

EXAMPLES

114       Example 1 One Use of the plugin Line
115
116
117       In  the specification shown below, the plugin line (in conjunction with
118       flags and naflags) is used to allow class records  for  lo  but  allows
119       class  records  for  am  for  failures  only.  Omission of the fm class
120       records results in no fm class records being output. The  pc  parameter
121       has  no effect because you cannot add classes to those defined by means
122       of flags and naflags and by audit_user(4). You can only remove them.
123
124
125         flags: lo,am,fm
126         naflags: lo
127         plugin: name=audit_syslog.so; p_flags=lo,-am
128
129
130
131       Example 2 Use of all
132
133
134       In the specification shown below, with one exception,  all  allows  all
135       flags  defined  by  means of flags and naflags (and audit_user(4)). The
136       exception the am metaclass, which is equivalent to ss,as,ua,  which  is
137       modified to output all ua events but only failure events for ss and as.
138
139
140         flags: lo,am
141         naflags: lo
142         plugin: name=audit_syslog.so; p_flags=all,^+ss,^+as
143
144
145

ATTRIBUTES

147       See attributes(5) for a description of the following attributes:
148
149
150
151
152       ┌─────────────────────────────┬─────────────────────────────┐
153       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
154       ├─────────────────────────────┼─────────────────────────────┤
155       │MT Level                     │MT-Safe                      │
156       ├─────────────────────────────┼─────────────────────────────┤
157       │Interface Stability          │See below.                   │
158       └─────────────────────────────┴─────────────────────────────┘
159
160
161       The  message format and message content are Uncommitted. The configura‐
162       tion parameters are Committed.
163

SEE ALSO

165       auditd(1M),    audit_class(4),    audit_control(4),     syslog.conf(4),
166       attributes(5)
167
168
169       System Administration Guide: Security Services
170

NOTES

172       Use  of  the  plugin  configuration  line  to  include  audit_syslog.so
173       requires that /etc/syslog.conf is configured to store  syslog  messages
174       of  facility  audit and severity notice or above in a file intended for
175       Solaris audit records. An example of such a line in syslog.conf is:
176
177         audit.notice                /var/audit/audit.log
178
179
180
181
182       Messages from syslog are sent to remote syslog servers by means of UDP,
183       which  does  not  guarantee  delivery  or  ensure  the correct order of
184       arrival of messages.
185
186
187       If the parameters specified for the plugin line result  in  no  classes
188       being preselected, an error is reported by means of a syslog alert with
189       the LOG_DAEMON facility code.
190
191
192       The time field in the syslog header is generated by syslog(3C) and only
193       approximates  the time given in the binary audit log. Normally the time
194       field shows the same whole second or at most a few seconds difference.
195
196
197
198SunOS 5.11                        25 Sep 2008                  audit_syslog(5)