Enterasys Security Information and Event Manager, Configuration Manual

Page: 361 / 426

Configuring DSMs
Sun Solaris Basic Security Mode (BSM) 345
FILES=$(ls -lrt | tr -s " " | cut -d" " -f9 | grep -v
"not_terminated")
# We just created a new audit log by doing 'audit -n', so we can
# be sure that the last file in the list will be the latest
# archived binary log file.
lastFile=""
for file in $FILES; do
lastFile=$file
done
# Extract a human-readable file from the binary log file
echo "Beginning praudit of $lastFile"
praudit -l $lastFile > "$LOG_DIR$lastFile.log"
echo "Done praudit, creating log file at: $LOG_DIR$lastFile.log"
/usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \
-exec rm {} > /dev/null 2>&1 \;
# End script
The script outputs log files in the <starttime>.<endtime>.<hostname>.log format.
For example, the log directory in /var/log would contain a file with the following
name:
20111026030000.20111027030000.qasparc10.log
Step 3
Optional. Edit the script to change the default directory for the log files.
a
AUDIT_DIR="/var/audit" - The Audit directory must match the location
specified by the audit control file you configured in Step 5 .
b
LOG_DIR="/var/log/" - The log directory is the location of the human-readable
log files of your Sun Solaris system that are ready to be retrieved by SIEM.
Step 4
Save your changes to the newauditlog.sh script.
Step 5
You are now ready to automate the this script using CRON to convert the Sun
Solaris Basic Security Mode log to human-readable format.
Creating a Cron Job Cron is a Solaris daemon utility that automates scripts and commands to run
system-wide on a scheduled basis. The following steps provide an example for
automating newauditlog.sh to run daily at midnight. If you need to retrieve log files
multiple times a day from your Solaris system, you must alter your cron schedule
accordingly.
Step 1
Type the following command to create a copy of your cron file:
crontab -l > cronfile
Step 2
Type the following command to edit the cronfile: