Hallo, dies ist ein Test.

PWD: /www/data-lst1/unixsoft/unixsoft/kaempfer/.public_html

Running in File Mode
Relative path: ./../../../../../../sbin/../man/man7/audit_syslog.7
Real path: /usr/share/man/man7/audit_syslog.7
Zurück

'\" te
.\" Copyright (c) 2008, 2023, Oracle and/or its affiliates.
.TH audit_syslog 7 "12 Sep 2023" "Oracle Solaris 11.4" "Standards, Environments, Macros, Character Sets, and miscellany"
.SH NAME
audit_syslog \- realtime conversion of
Solaris audit data to syslog messages
.SH SYNOPSIS

.LP
.nf
\fB/usr/lib/security/64/audit_syslog.so\fR
.fi
.SH DESCRIPTION
.sp
.LP
The \fBaudit_syslog\fR plugin module for Solaris audit, \fBaudit_syslog.so\fR, provides realtime conversion of Solaris audit data to syslog-formatted (text) data and sends it to a syslog daemon as configured in the appropriate syslog configuration file (\fBsyslog.conf\fR(5) or \fBrsyslog.conf\fR(5)). The plugin is configured with the \fBauditconfig\fR(8) utility.
.sp
.LP
Messages to \fBsyslog\fR are written if the \fBplugin\fR is configured as active via \fBauditconfig\fR. Use the \fBauditconfig\fR  \fB-setplugin\fR option to change all the plugin related configuration parameters. \fBSyslog\fR messages are generated with the facility code of \fBLOG_AUDIT\fR (\fBaudit\fR in \fBsyslog.conf\fR or \fBrsyslog.conf\fR) and severity of \fBLOG_NOTICE\fR. Audit \fBsyslog\fR messages contain data selected from the tokens described for the binary audit log. (See \fBaudit.log\fR(5)). As with all \fBsyslog\fR messages, each line in a \fBsyslog\fR file consists of two parts, a \fBsyslog\fR header and a message.
.sp
.LP
The \fBsyslog\fR header contains the date and time the message was generated, the host name from which it was sent, \fBauditd\fR to indicate that it was generated by the audit daemon, an ID field used internally by the syslog daemon, and \fBaudit.notice\fR indicating the \fBsyslog\fR facility and severity values. The \fBsyslog\fR header ends with the characters "\fB] \fR", that is, a closing square bracket and a space.
.sp
.LP
The message part starts with the event type from the header token. All subsequent data appears only if contained in the original audit record and there is room in the 1024-byte maximum length \fBsyslog\fR line. In the following example, the backslash (\fB\e\fR) indicates a continuation; actual \fBsyslog\fR messages are contained on one line:
.sp
.in +2
.nf
Oct 31 11:38:08 smothers auditd: [ID 917521 audit.notice] chdir(2) ok\e
session 401 by joeuser as root:other from myultra obj /export/home
.fi
.in -2
.sp
.sp
.LP
In the preceding example, \fBchdir\fR(2) is the event type. Following this field is additional data, described below. This data is omitted if it is not contained in the source audit record.
.sp
.ne 2
.mk
.na
\fB\fBok\fR or \fBfailed\fR\fR
.ad
.RS 21n
.rt
Comes from the return or exit token.
.RE

.sp
.ne 2
.mk
.na
\fB\fBsession \fI<#>\fR\fR\fR
.ad
.RS 21n
.rt
\fI<#>\fR is the session ID from the subject token.
.RE

.sp
.ne 2
.mk
.na
\fB\fBby \fI<name>\fR\fR\fR
.ad
.RS 21n
.rt
\fI<name>\fR is the audit ID from the subject token.
.RE

.sp
.ne 2
.mk
.na
\fB\fBas \fI<name>\fR:\fI<group>\fR\fR\fR
.ad
.RS 21n
.rt
\fI<name>\fR is the effective user ID and \fI<group>\fR is the effective group ID from the subject token.
.RE

.sp
.ne 2
.mk
.na
\fB\fBin\fR \fI<zone name>\fR\fR
.ad
.RS 21n
.rt
The zone name. This field is generated only if the \fBzonename\fR audit policy is set.
.RE

.sp
.ne 2
.mk
.na
\fB\fBfrom \fI<terminal>\fR\fR\fR
.ad
.RS 21n
.rt
\fI<terminal>\fR is the text machine address from the subject token.
.RE

.sp
.ne 2
.mk
.na
\fB\fBobj \fI<path>\fR\fR\fR
.ad
.RS 21n
.rt
\fI<path>\fR is the path from the path token The path can be truncated from the left if necessary to fit it on the line. Truncation is indicated by leading ellipsis (\fB...\fR).
.RE

.sp
.ne 2
.mk
.na
\fB\fBproc_uid \fI<owner>\fR\fR\fR
.ad
.RS 21n
.rt
\fI<owner>\fR is the effective user ID of the process owner.
.RE

.sp
.ne 2
.mk
.na
\fB\fBproc_auid \fI<owner>\fR\fR\fR
.ad
.RS 21n
.rt
\fI<owner>\fR is the audit ID of the process owner.
.RE

.sp
.ne 2
.mk
.na
\fB\fBargv \fI<arguments>\fR\fR\fR
.ad
.RS 21n
.rt
Listed are the \fBexecv\fR(2) system call parameter arguments from the \fBexec_args\fR token.
.sp
Arguments can be truncated from the right if necessary to fit them on the line. Truncation is indicated by trailing ellipsis (...).
.RE

.sp
.ne 2
.mk
.na
\fB\fBarge \fI<arguments>\fR\fR\fR
.ad
.RS 21n
.rt
Listed are the \fBexecv\fR(2) system call environment arguments from the \fBexec_env\fR token.
.sp
Arguments can be truncated from the right if necessary to fit them on the line. Truncation is indicated by trailing ellipsis (...).
.RE

.sp
.LP
The following are example \fBsyslog\fR messages:
.sp
.in +2
.nf
Nov  4  8:27:07 smothers auditd: [ID 175219 audit.notice] \e
system booted

Nov  4  9:28:17 smothers auditd: [ID 752191 audit.notice] \e
login - rlogin ok session 401 by joeuser as joeuser:staff from myultra

Nov  4 10:29:27 smothers auditd: [ID 521917 audit.notice] \e
access(2) ok session 255 by janeuser as janeuser:staff from  \e
129.146.89.30 obj /etc/passwd
.fi
.in -2
.sp
.SH OBJECT ATTRIBUTES
.sp
.LP
The \fBp_flag\fR attribute is used to further filter audit data being sent to the \fBrsyslog\fR daemon beyond the classes specified through the \fBflags\fR and \fBnaflags\fR (see \fBauditconfig\fR(8)) and through the user-specific lines of \fBuser_attr\fR(5). The parameter is a comma-separated list; each item represents an audit class (see \fBaudit_class\fR(5)) and is specified using the syntax described in \fBaudit_flags\fR(7). The default (empty \fBp_flags\fR listed) is that no audit records are generated.
.sp
.LP
The \fBp_cache_ttl\fR attribute is used to specify the time in seconds that a cached name-service value \fB(uid, gid, hostname)\fR can be reused. The default value is 1800 seconds, which is half the default cache ttl that \fBnscd\fR(8) uses.
.SH EXAMPLES
.LP
\fBExample 1\fR One Use of the \fBplugin\fR Line

.sp
.LP
In the specification shown below, the \fBplugin\fR (in conjunction with setting \fBflags\fR and \fBnaflags\fR) is used to allow class records for \fBlo\fR but allows class records for \fBam\fR for failures only. Omission of the \fBfm\fR class records results in no \fBfm\fR class records being output. The \fBpc\fR parameter has no effect because you cannot add classes to those defined by means of \fBflags\fR and \fBnaflags\fR and by \fBuser_attr\fR(5). You can only remove them.

.sp
.in +2
.nf
auditconfig -setflags lo,am,fm
auditconfig -setnaflags lo
auditconfig -setplugin audit_syslog active "p_flags=lo,-am,pc"
.fi
.in -2
.sp
.LP
\fBExample 2\fR Use of \fBall\fR

.sp
.LP
In the specification shown below, with one exception, \fBall\fR allows all flags defined by means of \fBflags\fR and \fBnaflags\fR (and \fBuser_attr\fR(5)). The exception the \fBam\fR metaclass, which is equivalent to \fBss,as,ua\fR, which is modified to output all \fBua\fR events but only failure events for \fBss\fR and \fBas\fR.

.sp
.in +2
.nf
auditconfig -setflags lo,am
auditconfig -setnaflags lo
auditconfig -setplugin audit_syslog active "p_flags=all,^+ss,^+as"
.fi
.in -2
.sp

.sp
.LP
In this example, some successful audit events in the \fBss\fR or \fBas\fR class that may be in multiple classes may still be included in the \fBsyslog\fR output.
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(7) for a description of the following attributes:
.sp
.TS
tab(
) box;
cw(2.75i) |cw(2.75i) 
lw(2.75i) |lw(2.75i) 
.
ATTRIBUTE TYPE
ATTRIBUTE VALUE
_
Availability
system/library
_
Interface Stability
See below
.TE
.sp
.sp
.LP
The message format and message content are Uncommitted. The configuration parameters are Committed.
.SH SEE ALSO
.sp
.LP
\fBaudit_class\fR(5), \fBuser_attr\fR(5), \fBattributes\fR(7), \fBaudit_flags\fR(7), \fBauditconfig\fR(8), \fBauditd\fR(8), \fBrsyslogd\fR(8), \fBsyslogd\fR(8)
.SH NOTES
.sp
.LP
Activating the \fBaudit_syslog\fR plugin requires also setting the syslog daemon configuration to process \fBsyslog\fR messages of facility \fBaudit\fR and severity \fBnotice\fR or above, and either store them in a file intended for Solaris audit records, or forward them to another system to do so. The configuration file to modify depends on the syslog daemon in use, \fB/etc/syslog.conf\fR for \fBsyslogd\fR(8) or \fB/etc/rsyslog.conf\fR for \fBrsyslogd\fR(8). An example of such a line follows.
.sp
.in +2
.nf
audit.notice                /var/audit/audit.log
.fi
.in -2
.sp
.sp
.LP
By default messages from \fBsyslog\fR are sent to remote \fBsyslog\fR servers by means of UDP, which does not guarantee delivery or ensure the correct order of arrival of messages. The \fBrsyslogd\fR daemon can be configured to use a TCP based transport (plain TCP \fBsyslog\fR, RELP) instead of UDP. For more information, see https://www.rsyslog.com/doc and the \fBrsyslogd\fR(8) man page.
.sp
.LP
If the parameters specified for the \fBplugin\fR line result in no classes being preselected, an error is reported by means of a \fBsyslog\fR alert with the \fBLOG_DAEMON\fR facility code.
.sp
.LP
The \fBaudit_syslog\fR is not a substitute for \fBaudit_binfile\fR(7) or \fBaudit_remote\fR(7). Only a limited set of tokens are included in the \fBsyslog\fR message. Use the audit trail files (\fBaudit.log\fR(5)) to obtain full audit records.
.sp
.LP
The time field in the \fBsyslog\fR header is generated by \fBsyslog\fR(3C) and only approximates the time given in the binary audit log. Normally the time field shows the same whole second or at most a few seconds difference.
.SH HISTORY
.sp
.LP
The \fBaudit_syslog\fR module was introduced in Solaris 10 3/05.