This module provides support for parsing events logged using Sun’s Basic Security Module (BSM) Auditing API. This module reads directly from the kernel. See also xm_bsm.
/dev/auditpipe device file is available on FreeBSD and macOS. On
Solaris, the device file is not available and the log files must be read and
parsed with im_file and xm_bsm as shown in the
For information about setting up BSM Auditing, see the xm_bsm Setup section.
The im_bsm module accepts the following directives in addition to the common module directives.
This optional directive specifies the device file from which to read BSM events. If this is not specified, it defaults to
This optional directive can be used to specify the path to the audit event database containing a mapping between event names and numeric identifiers. The default location is
/etc/security/audit_eventwhich is used when the directive is not specified.
See the xm_bsm Fields.
This configuration reads BSM audit events directly from the kernel via the
/dev/auditpipe device file (which is not available on Solaris, see
the xm_bsm example instead).