Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > LEM integration with Solaris 10 using BSM

LEM integration with Solaris 10 using BSM

Updated: September 27, 2018


Integrate LEM with Solaris 10 using BSM.


  • LEM 6.2
  • Solaris 10


Solaris 10 BSM Setup

This document describes how to configure Solaris 10 Basic Security Module (BSM) to log via syslog. The SolarWinds LEM agent for Solaris can then read this file via the Solaris BSM tool. We will outline the steps necessary to configure BSM to do this along with a reference section with more detailed information about the various options. We will assume that BSM is already installed on the Solaris 10 server. Solaris versions 8 and 9 need additional software installed for BSM to log via syslog (Snare) and will not be covered in this document.


Configure BSM to send to syslog

You will need to have root access to the Solaris server. This process will require the reboot of the server.

  1. Assume a role that includes the Audit Control profile or become superuser and open a terminal window if you have not already.
  2. Run the script that enables the auditing service.
    # cd /etc/security
    # ./bsmconv
    This script is used to enable the Basic Security Module (BSM). Shall we continue with the conversion now? y/n *y* bsmconv: INFO: checking startup file. bsmconv: INFO: turning on audit module. bsmconv: INFO: initializing device allocation.
    The Basic Security Module is ready. If there were any errors, please fix them now. Configure BSM by editing files located in /etc/security. Reboot this system now to come up with BSM enabled.

    Do NOT reboot yet. You need to adjust some settings first.

    Save a backup copy of the audit_control file:

    # cp /etc/security/audit_control /etc/security/audit_control.orig

  3. Modify the audit_control file found in /etc/security to include flag settings for what you wish to audit and to log events via syslog. Sample settings are listed below.
    # vi /etc/security/audit_control
    ... dir:/var/audit flags:am,cl,ex,fc,fd,fm,lo,pc,ss,ua minfree:20 naflags:lo; p_flags=am,cl,ex,fc,fd,fm,fr,fw,lo,pc,ss,ua

    These settings are for success and failure. If you precede a setting with a dash ( i.e. --lo,-ex ) then the system with report failures only. More information about each flag provided at the bottom of this document.

  4. Save a backup copy of the syslog.conf file.
    # cp /etc/syslog.conf /etc/syslog.conf.orig
  1. Add an audit.notice entry to the syslog.conf file. The log location is included in the entry.
    # vi /etc/syslog.conf
    … audit.notice /var/adm/auditlog
  1. Create the log file.
    # touch /var/adm/auditlog
  1. Reload the syslog service with the new changes.
    # svcadm refresh system/system-log
  1. Save a backup copy of logadm.conf
    # cp /etc/logadm.conf /etc/logadm.conf.orig
  1. Auditing generates a lot of information, so we will need to make and entry for log maintenance.
    # vi /etc/logadm.conf
    … /var/adm/auditlog --C 8 --a ‘kill --HUP `cat /var/run/`’

    This will keep the last 8 days of audit logs.

  1. Reboot the Solaris server to activate changes.
  2. Log back in to the server and check for audit activity. You should see some entries in the auditlog file.
    # tail /var/adm/auditlog

    If the file is blank, consult your Solaris documentation. “System Administration Guide: Security Services” Chapter 30 or your Solaris support provider.

Configuring the Agent and Connector

  1. Install the LEM Solaris agent on the machine (if not already installed).
  2. Once the agent has successfully connected in your console, navigate to Manage > Nodes.
  3. Next to the agent node, click the gear icon, and then select Connectors.
  4. From the Category drop-down list, select Operating Systems.
  5. Next to Solaris 10 BSM Auditingclick the gear icon, and then select New. 
  6. Create a new connector configuration, and verify that the Log File path is pointed to the correct path for your audit log.
  7. Click Save.
  8. Next to the connector, click the gear icon, and then select Start.
  9. Log out of the Solaris server and log back in to generate some log entries and verify that you see them in the Console.


Audit Reference

Suggested Audit Classes




Administrative Actions (meta-class)


Close System Call


Program Execution


Create Object


Delete Object


Change of Object Attribute


Read Data, open for reading


Write Data, open for writing


Login and Logout events


Process (meta-class)


Change System State


User Administration

We suggest you do NOT audit the following Audit Classes




All classes (meta-class)


Application-defined events


Access of object attributes


ioctl() System Calls


system VIPC operations


Nonattributable events


Network events: bind, connect, accept


Miscellaneous, such as device allocation and memcntl()

Integration of Solaris and Snare 

Due to the type of internal logging carried out by Solaris, one of the two solutions must be applied before Solaris can be integrated into LEM: A. Snare agent is installed on Solaris, followed by a LEM agent, or B. BSM is installed on Solaris, followed by a LEM agent.



Last modified