Basic Security Module Auditing (im_bsm)
This module provides support for parsing events logged using Sun’s Basic Security Module (BSM) Auditing API. This module reads directly from the kernel. See also xm_bsm.
The BSM /dev/auditpipe device file is available on FreeBSD and macOS. On
Solaris, the device file is not available and the log files must be read and
parsed with im_file and xm_bsm as shown in the
example.
| To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
Setup
For information about setting up BSM Auditing, see the xm_bsm Setup section.
Configuration
The im_bsm module accepts the following directives in addition to the common module directives.
- DeviceFile
-
This optional directive specifies the device file from which to read BSM events. If this is not specified, it defaults to
/dev/auditpipe.
- EventFile
-
This optional directive can be used to specify the path to the audit event database containing a mapping between event names and numeric identifiers. The default location is
/etc/security/audit_eventwhich is used when the directive is not specified.
Fields
See the xm_bsm Fields.
Examples
This configuration reads BSM audit events directly from the kernel via the
(default) /dev/auditpipe device file (which is not available on Solaris, see
the xm_bsm example instead).
<Input in>
Module im_bsm
DeviceFile /dev/auditpipe
</Input>
