- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- Troubleshooting
- Enterprise Edition Reference Manual
- 127. Man Pages
- 128. Configuration
- 129. Language
- 130. Extension Modules
- 131. Input Modules
- 131.1. Process Accounting (im_acct)
- 131.2. AIX Auditing (im_aixaudit)
- 131.3. Azure (im_azure)
- 131.4. Batched Compression (im_batchcompress)
- 131.5. Basic Security Module Auditing (im_bsm)
- 131.6. Check Point OPSEC LEA (im_checkpoint)
- 131.7. DBI (im_dbi)
- 131.8. Event Tracing for Windows (im_etw)
- 131.9. External Programs (im_exec)
- 131.10. Files (im_file)
- 131.11. File Integrity Monitoring (im_fim)
- 131.12. Go (im_go)
- 131.13. HTTP(s) (im_http)
- 131.14. Internal (im_internal)
- 131.15. Java (im_java)
- 131.16. Kafka (im_kafka)
- 131.17. Kernel (im_kernel)
- 131.18. Linux Audit System (im_linuxaudit)
- 131.19. macOS ULS (im_maculs)
- 131.20. Mark (im_mark)
- 131.21. EventLog for Windows XP/2000/2003 (im_mseventlog)
- 131.22. EventLog for Windows 2008/Vista and Later (im_msvistalog)
- 131.23. Null (im_null)
- 131.24. ODBC (im_odbc)
- 131.25. Packet Capture (im_pcap)
- 131.26. Perl (im_perl)
- 131.27. Named Pipes (im_pipe)
- 131.28. Python (im_python)
- 131.29. Redis (im_redis)
- 131.30. Windows Registry Monitoring (im_regmon)
- 131.31. Ruby (im_ruby)
- 131.32. TLS/SSL (im_ssl)
- 131.33. Systemd (im_systemd)
- 131.34. TCP (im_tcp)
- 131.35. Test Generator (im_testgen)
- 131.36. UDP (im_udp)
- 131.37. Unix Domain Sockets (im_uds)
- 131.38. Windows Performance Counters (im_winperfcount)
- 131.39. Windows Event Collector (im_wseventing)
- 131.40. ZeroMQ (im_zmq)
- 132. Processor Modules
- 133. Output Modules
- NXLog Manager
- NXLog Add-Ons
131.5. Basic Security Module Auditing (im_bsm)
This module provides support for parsing events logged using Sun’s Basic Security Module (BSM) Auditing API. This module reads directly from the kernel. See also xm_bsm.
|
Note
|
To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
The BSM /dev/auditpipe device file is available on FreeBSD and macOS. On
Solaris, the device file is not available and the log files must be read and
parsed with im_file and xm_bsm as shown in the
example.
131.5.1. Setup
For information about setting up BSM Auditing, see the xm_bsm Setup section.
131.5.2. Configuration
The im_bsm module accepts the following directives in addition to the common module directives.
- DeviceFile
-
This optional directive specifies the device file from which to read BSM events. If this is not specified, it defaults to
/dev/auditpipe.
- EventFile
-
This optional directive can be used to specify the path to the audit event database containing a mapping between event names and numeric identifiers. The default location is
/etc/security/audit_eventwhich is used when the directive is not specified.
131.5.3. Fields
See the xm_bsm Fields.
131.5.4. Examples
This configuration reads BSM audit events directly from the kernel via the
(default) /dev/auditpipe device file (which is not available on Solaris, see
the xm_bsm example instead).
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
<Input in>
Module im_bsm
DeviceFile /dev/auditpipe
</Input>