I have one of my Servers, running Solaris 9. I wanna enable the Audit log enabling, the way I did in Solaris 10 Servers.
After running, the bsmconv script, giving the reboots, modifying all the audit files in /etc/security, the audit is enabled, but the audit file which shall be updating in human readable format, its missing.
The /var/adm/messages show the following error.
syslogd: line 47: unknown facility name "audit"
Now, this must be because of the following entry in syslog.conf which is not supported by Solaris 9.
audit.notice /var/adm/auditlog
Please tell me, what do I need to do on my Solaris 9 box, which will show me the audit logs in readable format, because enabling audit logs but not being able to read them, makes no sense to anyone.
# cat /var/adm/auditlog | more
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/sbin/sh
Jan 15 03:10:16 <hostname> audit: [ID 702911 audit.notice] execve(2) ok session 15478 by root as root:root from unknown obj /usr/bin/cat
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15643 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15653 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:17 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15656 by <system-user> as <system-user>:<system user group> from <hostname>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15655 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp access ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
Jan 15 03:10:18 <hostname> audit: [ID 702911 audit.notice] ftp logout ok session 15658 by <system-user> as <system-user>:<system user group> from <IP of a remote system>
And since with Solaris 9 when I am making a similar entry in syslog.conf, its not working, What am I supposed to do to to get a file similar to the auditlog file as shown in the example above.