Converting Sun Solaris BSM audit logs

IBM QRadar doesn't process binary files directly from Sun Solaris BSM. You must convert the audit log from the existing binary format to a human-readable log format by using praudit before the audit log data can be retrieved by QRadar.

Procedure

  1. Type the following command to create a new script on your Sun Solaris console:

    vi /etc/security/newauditlog.sh

  2. Add the following information to the newauditlog.sh script: 
    #!/bin/bash
#
# newauditlog.sh - Start a new audit file and expire the old logs 
#
AUDIT_EXPIRE=30
AUDIT_DIR="/var/audit"
LOG_DIR="/var/log/"
/usr/sbin/audit -n
cd $AUDIT_DIR
# Get a listing of the files based on creation date that are not current in use 
FILES=$(ls -lrt | tr -s " " | cut -d" " -f9 | grep -v "not_terminated")
# We created a new audit log so that the last file in the list is the latest archived binary log file.
lastFile=""
for file in $FILES; do
 lastFile=$file
done 
# Extract a human-readable file from the binary log file 
echo "Beginning praudit of $lastFile" 
praudit -l $lastFile > "$LOG_DIR$lastFile.log"
echo "Done praudit, creating log file at: $LOG_DIR$lastFile.log"
/usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \ -exec rm {} > /dev/null 2>&1 \;
# End script

    The script outputs log files in the <starttime>.<endtime>.<hostname>.log format.

    For example, the log directory in /var/log contains a file with the following name:

    20111026030000.20111027030000.qasparc10.log

  3. Optional: Edit the script to change the default directory for the log files.
    1. AUDIT_DIR="/var/audit" - The Audit directory must match the location that is specified by the audit control file you configured in Enabling Basic Security Mode in Solaris 10.
  4. LOG_DIR="/var/log/" - The log directory is the location of the human-readable log files of your Sun Solaris system that are ready to be retrieved by QRadar.
  5. Save your changes to the newauditlog.sh script.
  6. Optional: If you want to make the script executable, type the following command:
    chmod +x /etc/security/newauditlog.sh

What to do next

If this script is executable, you can automate it by using CRON to convert the Sun Solaris Basic Security Mode log to human-readable format.