Return to
Portfolio

36. Oracle Solaris

NXLog can collect various types of system logs on the Solaris platform. For deployment details, see the supported Solaris platforms, Solaris installation, and monitoring.

Basic Security Mode (BSM) Auditing

The xm_bsm module can be used to parse logs collected with im_file.

Example 185. Collect BSM Audit Logs From the Kernel

This example configuration reads from files in /var/audit with im_file. The InputType provided by xm_bsm is used to parse the binary format.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Extension bsm_parser>
    Module      xm_bsm
</Extension>

<Input in>
    Module      im_file
    File        '/var/audit/*'
    InputType   bsm_parser
</Input>
Custom Programs

The im_exec module allows log data to be collected from custom external programs.

Example 186. Using an External Command

This example uses the tail command to read from a file.

Note
The im_file module should be used to read log messages from files. This example only demonstrates the use of the im_exec module.
nxlog.conf [Download file]
1
2
3
4
5
6
<Input systemlog>
    Module  im_exec
    Command /usr/bin/tail
    Arg     -f
    Arg     /var/log/syslog
</Input>
DNS Monitoring

Logs can be collected from BIND 9.

File Integrity Monitoring

File and directory changes can be detected and logged for auditing with the im_fim module. See File Integrity Monitoring.

Example 187. Monitoring File Integrity

This configuration watches for changes to files and directories under /usr/bin/.

nxlog.conf [Download file]
1
2
3
4
5
6
7
<Input fim>
    Module          im_fim
    File            "/usr/bin/*"
    Digest          SHA1
    ScanInterval    3600
    Recursive       TRUE
</Input>
Local Syslog

Events written to file in Syslog format can be collected with the im_file module and parsed with the xm_syslog module. See Collecting and Parsing Syslog for more information.

Example 188. Reading Syslog Messages From File

This example uses the im_file module to read messages from /var/log/messages and the xm_syslog parse_syslog() procedure to parse them.

nxlog.conf [Download file]
1
2
3
4
5
6
7
8
9
<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in>
    Module  im_file
    File    "/var/log/messages"
    Exec    parse_syslog();
</Input>
Log Files

The im_file module can be used to collect events from log files.

Example 189. Reading From Log Files

This configuration uses the im_file module to read events from the specified log file.

nxlog.conf [Download file]
1
2
3
4
<Input in>
    Module  im_file
    File    "/foo/input.log"
</Input>
Process Accounting

The im_acct module can be used to gather details about who runs what processes.

Example 190. Reading Process Accounting Logs

With this configuration file, NXLog will enable process accounting to the specified file and read events from it.

nxlog.conf [Download file]
1
2
3
4
5
<Input acct>
    Module  im_acct
    AcctOn  TRUE
    File    '/tmp/nxlog.acct'
</Input>