Growth of BSM log files is certainly a bit of a problem but there are a number of ways of handling it. Firstly you can configure BSM itself so that it does not audit every event. You do this by chanign the /etc/audit/audit_control file. There is a guide on the Sun website that details what to do with this.
You can also configure the server sensor to clear the BSM log. In the properties of he sensor (from the WGM) one of the options is how to handle the BSM logs - either by reducing or removing them. The other option we've used in the past is to have a cron job to remove the log periodically. Simon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mark Weiss Sent: 22 January 2004 20:22 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [ISSForum] BSM usage with Server Sensor on Solaris We are in the process of attempting to roll out Server Sensor in our Unix (Solaris 2.8) environment. My question concerns the BSM (Basic Security Module) which is included in Solaris and is used to create the security logs so that Server Sensor can be used to flag curious activity (much like the Windows version does). Currently, we do not have the BSM enabled (there are other tools that are used). In performing some testing with several of the options turned on in a lab environment, it is evident that the log file(s) can become very large, very fast. In our environment where our web servers see large volumes of traffic this could be a big problem. I'd be curious to know if/how people are using the BSM in conjunction with Server Sensor on Solaris. I'm looking for ideal configurations of it. I'd also like to hear if there are people out there who do not have the BSM enabled and just look at Web traffic. MW __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! http://webhosting.yahoo.com/ps/sb/ _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
