- Basic Security Mode (BSM) Auditing
The im_bsm module collects logs generated by the BSM auditing system.Note
OpenBSD does not support BSM Auditing.
- Custom Programs
The im_exec module allows log data to be collected from custom external programs.Example 169. Using an External Command
This example uses the
tailcommand to read from a file.Note
The im_file module should be used to read log messages from files. This example only demonstrates the use of the im_exec module.
- DNS Monitoring
Logs can be collected from BIND 9.
- File Integrity Monitoring
Example 170. Monitoring File Integrity
This example monitors files in the
/srvdirectories, generating events when files are modified or deleted. Files ending in
.bakare excluded from the watch list.
The system logger may need to be disabled or reconfigured to collect logs with im_kernel. To completely disable syslogd on OpenBSD, run
rcctl stop syslogdand
rcctl disable syslogd.Example 171. Collecting Kernel Logs
This configuration reads events from the kernel.nxlog.conf
1 2 3
<Input kernel> Module im_kernel </Input>
- Local Syslog
Messages written to
/dev/logcan be collected with the im_uds module. Events written to file in Syslog format can be collected with im_file. In both cases, the xm_syslog module can be used to parse the events. See the Linux System Logs and Collecting and Parsing Syslog sections for more information.Example 172. Reading Syslog Messages From File
This example reads Syslog messages from
/var/log/messagesand parses them with the parse_syslog() procedure.
- Log Files
The im_file module can be used to collect events from log files.
- Process Accounting
The im_acct module can be used to gather details about who runs what processes.