Basic Security Module Auditing (xm_bsm)
This module provides support for parsing events logged to file using the Solaris OS Basic Security Module (BSM) Auditing API. This module is normally used in combination with the im_file module to read events from a log file. An InputType is registered using the name of the module instance. See also im_bsm, which reads audit events directly from the kernel—it is recommended instead in cases where NXLog is running as a local agent on the system and the device file is available for reading.
To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
Setup
For information about setting up BSM Auditing, see the corresponding documentation:
-
For FreeBSD, see Audit Configuration in the FreeBSD Handbook.
-
For Solaris 10, see Enabling and Using BSM Auditing in the Logical Domains 1.2 Administration Guide.
-
For Solaris 11, see Managing the BSM Service (Tasks) in the System Administration Guide.
Configuration
The xm_bsm module accepts the following directives in addition to the common module directives.
Fields
The following fields are used by xm_bsm.
$raw_event
(type: string)-
A list of event fields in key-value pairs.
$Arbitrary
(type: string)-
Arbitrary data token associated with the event, if any
$Arg00.Description
(type: string)-
The description of argument 0 (there may be additional arguments; for example,
Arg01
)
$Arg00.Value
(type: string)-
The value of argument 0
$AttributeDevID
(type: string)-
The device ID the file might represent
$AttributeFsID
(type: string)-
The file system ID
$AttributeGID
(type: string)-
The file owner group ID (GID)
$AttributeMode
(type: string)-
The file access mode and type
$AttributeNodeID
(type: string)-
The file inode ID
$AttributeUID
(type: string)-
The file owner user ID (UID)
$CertHash
(type: string)-
certificate hash string set
$Cmd
(type: string)-
The command, with arguments and environment, executed within the zone
$EventHost
(type: string)-
The host name of the machine corresponding to the event
$EventModifier
(type: string)-
The ID modifier that identifies special characteristics of the event
$EventName
(type: string)-
The name of audit event that the record represents
$EventTime
(type: datetime)-
The time at which the event occurred
$EventType
(type: string)-
The type of audit event that the record represents
$ExecArgs
(type: string)-
The list of arguments to an exec() system call
$ExecEnv
(type: string)-
The list of the current environment variables to an exec() system call
$ExitErrno
(type: string)-
The exit status as passed to the exit() system call
$ExitRetval
(type: string)-
The exit return value that describes the exit status
$FileModificationTime
(type: datetime)-
The last modification time of the file corresponding to the event (if applicable)
$FileName
(type: string)-
The name of the file corresponding to the event (if applicable)
$Hostname
(type: string)-
The IP address or hostname where the event originated
$Identity.CDHash
(type: string)-
Apple Identity CDHash hex
$Identity.SignerId
(type: string)-
Apple Identity signer ID
$Identity.SignerIdTruncated
(type: string)-
Apple Identity signer ID truncated flag
$Identity.SignerType
(type: string)-
Apple Identity signer type
$Identity.TeamId
(type: string)-
Apple Identity Team ID
$Identity.TeamIdTruncated
(type: string)-
Apple Identity Team ID truncated flag
$IPAddress
(type: string)-
The IP address as part of the IP token
$IPC
(type: string)-
The IPC handle that is used by the caller to identify a particular IPC object
$IPChecksum
(type: string)-
The checksum of the IP header
$IPCPermCreatorGID
(type: string)-
The IPC creator group ID (GID)
$IPCPermCreatorUID
(type: string)-
The IPC creator user ID (UID)
$IPCPermGID
(type: string)-
The IPC owner group ID (GID)
$IPCPermKey
(type: string)-
The IPC permission key
$IPCPermMode
(type: string)-
The IPC access mode
$IPCPermSeqID
(type: string)-
The IPC slot sequence
$IPCPermUID
(type: string)-
The IPC owner user ID (UID)
$IPDestAddr
(type: string)-
The destination address in the IP header
$IPFragmentOffset
(type: string)-
The fragment offset field of the IP header
$IPHeaderLen
(type: string)-
The total length of the IP header
$IPIdent
(type: string)-
The ID of the IP header
$IPProto
(type: string)-
The IP protocol
$IPServiceType
(type: string)-
The IP type of service (TOS)
$IPSrcAddr
(type: string)-
The source address in the IP header
$IPTTL
(type: string)-
The time-to-live (TTL) of the IP header
$IPVer
(type: string)-
The version for the Internet Protocol
$KRB5Principal
(type: string)-
KRB5Principal strings set
$Opaque
(type: string)-
The opaque field (unformatted, hexadecimal)
$Path
(type: string)-
Access path information for an object
$Privilege
(type: string)-
The privilege token
$ProcessAuditID
(type: string)-
The audit ID in the Process section
$ProcessGID
(type: string)-
The effective group ID (GID) in the Process section
$ProcessPID
(type: string)-
The process ID (PID) in the Process section
$ProcessRealGID
(type: string)-
The real group ID (GID) in the Process section
$ProcessRealUID
(type: string)-
The real user ID (UID) in the Process section
$ProcessSID
(type: string)-
The session ID (SID) in the Process section
$ProcessTerminal.Host
(type: string)-
The terminal IP address in the Process section
$ProcessTerminal.Port
(type: string)-
The terminal port in the Process section
$ProcessUID
(type: string)-
The effective user ID (UID) in the Process section
$ReturnErrno
(type: string)-
The error status of the system call in the Return section
$ReturnRetval
(type: string)-
The return value of the system call in the Return section
$Sequence
(type: string)-
The sequence number
$SocketAddress
(type: string)-
The remote socket address
$SocketPort
(type: string)-
The remote socket port
$SocketType
(type: string)-
The socket type field that indicates the type of socket referenced (TCP/UDP/UNIX)
$SubjectAuditID
(type: string)-
The invariant audit ID in the Subject section
$SubjectGID
(type: string)-
The effective group ID (GID) in the Subject section
$SubjectPID
(type: string)-
The process ID (PID) in the Subject section
$SubjectRealGID
(type: string)-
The real group ID (GID) in the Subject section
$SubjectRealUID
(type: string)-
The real user ID (UID) in the Subject section
$SubjectSID
(type: string)-
The session ID (SID) in the Subject section
$SubjectTerminal.Host
(type: string)-
The terminal IP address in the Subject section
$SubjectTerminal.Port
(type: string)-
The terminal port in the Subject section
$SubjectUID
(type: string)-
The effective user ID (UID) in the Subject section
$TerminalAddress
(type: string)-
The terminal address as found in a Subject and/or Process token
$TerminalLocalPort
(type: string)-
The terminal local port as found in a Subject and/or Process token
$TerminalRemotePort
(type: string)-
The terminal remote port as found in a Subject and/or Process token
$Text
(type: string)-
A text string associated with the event
$TokenVersion
(type: string)-
A number that identifies the version of the record structure
$Zone
(type: string)-
The zone name to which the audit event pertains
Examples
This configuration reads BSM audit logs from file and parses them with the InputType registered by xm_bsm.
<Extension bsm_parser>
Module xm_bsm
</Extension>
<Input in>
Module im_file
File '/var/audit/*'
InputType bsm_parser
</Input>