[Fed-Talk] BSM Audit log loader v1.3
[Fed-Talk] BSM Audit log loader v1.3
- Subject: [Fed-Talk] BSM Audit log loader v1.3
- From: "Dan O'Donnell" <email@hidden>
- Date: Fri, 19 Dec 2008 16:14:46 -0800
- Thread-topic: BSM Audit log loader v1.3
Title: BSM Audit log loader v1.3
Erik Swan of Splunk has written an add-on application for the Splunk indexer that will capture BSM audit trails for OSX, Solaris and FreeBSD (coming). This will allow the centralization of BSM audit trails by moving the information to a central repository. It also allows easier searching of the audit trails and thus might make auditing faster and easier.
<http://www.splunkbase.com/apps/All/Technologies/app:BSM+Audit+log+loader#>
Splunk already captures syslogs and works on all major platforms (*nix, Windows, OSX) including Vmware. This add-on should help anybody who has to regularly audit syslog and audit trail logs for multiple machines.
I will be testing it as soon as I can get to it, but anybody else who might be running Splunk is also welcome to use it. It is a free add-on application to the main Splunk application. The ReadMe follows:
This app is used to call auditreduce and praudit on an interval and to cache the timeranges for the query. This way you can run the script and not get duplicate results. The first time it runs it will start from Jan 1, 2000 or you can supply an earliest argument in the config file.
The app also supports a sinkhole for audit logs. Any audit logs placed in the sinkhole are run through auditreduce and praudit then the logs are removed. WARNING, the script will delete any files placed in the sinkhole. If you do not want them deleted please copy in symlinks.
To install, place the bsm directory in $SPLUNK_HOME/etc/apps and restart splunk.
There are a handful of useful options in the bsm.conf file.
Its often useful to test ouside of splunk to make sure the script works.
To do this you need to set SPLUNK_HOME.
export SPLUNK_HOME=your_splunk_install_location
Then
cd $SPLUNK_HOME/etc/apps/bsm
python bin/bsmping.py --noCache=True
The above should spit audit logs
The python script will read config files in either etc/apps/bsm/local/bsm.conf or etc/apps/bsm/default/bsm.conf.
To protect your config changes from upgrade do not edit the config file in default but instead copy the default/bsm.conf
to local/bsm.conf and make your changes there. The script will treat the copy in local with precedence.
See default/bsm.conf for possible configuration changes.
No changes are required to if you want raw formatting of events.
TODO:
============
- Having trouble getting mac osx -b (before) and -a (after) arguments to work. This prevents caching from working.
- Testing of freebsd
__________________________________________________________________________
This email message is for the sole use of the intended recipient(s) and
may contain confidential information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden