Alisha, Solaris (10 only!) has an option to dump BSM logs to syslog. http://www.cuddletech.com/blog/pivot/entry.php?id=647
configure this, point ossec to the syslog (format is obviously syslog) and you're done. Cheers, Wim On Wed, Dec 16, 2009 at 11:37 PM, Alisha Kloc <[email protected]> wrote: > Hello, > > Are there instructions anywhere for setting up OSSEC to read Solaris > BSM audit logs? As of v. 1.5, OSSEC lists support for Solaris BSM, and > I've found posts by people who say they are doing it, but nowhere can > I find instructions on how to actually make it happen. > > Can I just point OSSEC at the directory where BSM stores its binary > logs? If so, what log format must be specified in the <log_format> tag > in the configuration file? Or do I need a script which translates BSM > binary logs to another format? If so, what options/tags/commands/etc > are needed to get the records formatted correctly in the output file, > so that OSSEC can parse the logs? > > Thanks in advance for your help! > -Alisha > -- Wim Remes Security Afficionado
