Hello, Are there instructions anywhere for setting up OSSEC to read Solaris BSM audit logs? As of v. 1.5, OSSEC lists support for Solaris BSM, and I've found posts by people who say they are doing it, but nowhere can I find instructions on how to actually make it happen.
Can I just point OSSEC at the directory where BSM stores its binary logs? If so, what log format must be specified in the <log_format> tag in the configuration file? Or do I need a script which translates BSM binary logs to another format? If so, what options/tags/commands/etc are needed to get the records formatted correctly in the output file, so that OSSEC can parse the logs? Thanks in advance for your help! -Alisha
