Basic Security Module Auditing (im_bsm)

This module provides support for parsing events logged using Sun’s Basic Security Module (BSM) Auditing API. This module reads directly from the kernel. See also xm_bsm.

The BSM /dev/auditpipe device file is available on FreeBSD and macOS. On Solaris, the device file is not available and the log files must be read and parsed with im_file and xm_bsm as shown in the example.

To examine the supported platforms, see the list of installation packages.

Setup

For information about setting up BSM Auditing, see the xm_bsm Setup section.

Configuration

The im_bsm module accepts the following directives in addition to the common module directives.

Optional directives

DeviceFile

This optional directive specifies the device file from which to read BSM events. If this is not specified, it defaults to /dev/auditpipe.

EventFile

This optional directive can be used to specify the path to the audit event database containing a mapping between event names and numeric identifiers. The default location is /etc/security/audit_event which is used when the directive is not specified.

Fields

See the xm_bsm Fields.

Examples

Example 1. Reading BSM Audit Events From the Kernel

This configuration reads BSM audit events directly from the kernel via the (default) /dev/auditpipe device file (which is not available on Solaris, see the xm_bsm example instead).

nxlog.conf

<Input in>
    Module      im_bsm
    DeviceFile  /dev/auditpipe
</Input>