Basic Security Module Auditing (im_bsm)
This module provides support for parsing events logged using Sun’s Basic Security Module (BSM) Auditing API. This module reads directly from the kernel. See also xm_bsm.
The BSM /dev/auditpipe
device file is available on FreeBSD and macOS. On
Solaris, the device file is not available and the log files must be read and
parsed with im_file and xm_bsm as shown in the
example.
To examine the supported platforms, see the list of installation packages. |
Setup
For information about setting up BSM Auditing, see the xm_bsm Setup section.
Configuration
The im_bsm module accepts the following directives in addition to the common module directives.
Optional directives
This optional directive specifies the device file from which to read BSM events.
If this is not specified, it defaults to |
|
This optional directive can be used to specify the path to the audit event database containing a mapping between event names and numeric identifiers.
The default location is |
Fields
See the xm_bsm Fields.
Examples
This configuration reads BSM audit events directly from the kernel via the
(default) /dev/auditpipe
device file (which is not available on Solaris, see
the xm_bsm example instead).
<Input in>
Module im_bsm
DeviceFile /dev/auditpipe
</Input>