cancel
Showing results for 
Search instead for 
Did you mean: 

Fix Solaris 10 BSM Auditing Connector

Fix Solaris 10 BSM Auditing Connector

Ba SWe would like to see the Solaris 10 BSM Auditing connector be fixed so it actually works.  When we contacted support, we were told to use a 3rd party app, Snare, to convert these binary Basic Security Module log files & then send them to the LEM.  Why would a connector even have a name & exist if it doesn't work?  It would seem the connector could be fixed to do the same work as Snare & keep us from having to install another app that consumes resources on our boxes.

15 Comments
dlinder
Level 7

I agree - it's just silly to have a connector listed and advertised, but when it doesn't work, advise the customer to install, learn, and use a third-party product.  It's a little unprofessional.  The product does not perform as advertised.  I realize that Solarwinds concentrates much more heavily on Windows (alas) and UNIX is kind of an afterthought, but the UNIX features should still work.

under_score
Level 7

Along those lines, it would be great if LEM would have a connector for straight syslog sent from Solaris 10.  Seems very odd that it wouldn't have created a connector for handling syslog data from all of the most popular vendors.

dlinder
Level 7

I'm not sure if the voting is still open for this idea, how long it lasts, or what happens to move the idea to the next stage.  It has 18 votes which seems like a lot, and according to the filter makes it the second-most popular idea ever.  I don't see it "open for voting" so I assume the voting is done.  Is there some kind of timeline for the process?

colby
Level 16

Hey everyone, I'm checking on this. I need to straighten out which versions of BSM require Snare and which don't.

Regarding "Open for Voting" - it's a manual process. I'll move it now.

rodbeeson
Level 7

Nicole, I know Solaris 10 BSM needs Snare. I can't speak for other versions.

dlinder
Level 7

Thanks, Nicole, but what I was really asking is what happens after the voting process?  Voting has been open for almost two months now and this is the second-highest vote getter of all - what's next?  Thanks.

rodbeeson
Level 7

Hi Nicole (or anyone @ Solarwinds) - can anyone say if there is any planned movement on this front to get the Soalris 10 BSM Auditing connector working?  Thanks.

colby
Level 16

Did a little digging on this as it exists today:

  • (Oracle) Solaris 11 now uses some built in auditing other than BSM, so it's not covered with the BSM connector no matter what (boo).
  • According to our internal documentation (from when we integrated with Solaris 10), Solaris 10 BSM does NOT require Snare to log to syslog. I have instructions for that internally that we can use to see if you guys can validate whether something changed or broke along the way, or if they just need to get KB'd/added to doc.
  • According to our internal documentation, Solaris 8/9 required Snare to syslog and 10 can optionally use Snare as well. I do have instructions for that internally as well that any of you already using Snare can help us validate.

If we can use you guys to help us out here, we can get some KBs up, or figure out where more research is necessary. I'll post up the instructions I have and you can let me know. Sorry it's taken us a while to respond on this one, I know it's a top vote getter and I'm hoping that there's just something obvious we're missing.

colby
Level 16

Here's the discussion thread so I could attach the documents:

misael
Level 7

Hi Nicole,

The challenges with BSM pulling for syslog are:

1. syslog has a max length of 1024 bytes, so truncation is possible

2. the audit_syslog plugin appears to not support sending command arguments to syslog, even though they exist in the BSM files

Has anyone successfully pulled command arguments from Solaris 10 audit data into the LEM without using snare?

Thanks.