Tools −> Audit Explorer −> Documentation −> Manual −> Workflows

Figure 1: Reading a BSM File or Reading an Analysis File
The Simplest Workflows
At the simplest level, you will (A) use Audit Explorer to read either a raw BSM audit file or (B) use Audit Explorer to read an analysis file (see Figure 1). In practice, however, you will probably adopt one of three slightly richer workflows.
Workflow Tree

Figure 2: Four Typical Workflows
Because BSM audit trail files are protected (i.e., you need to escalate to root privilege), at a minimum that will require you to use a command-line tool at some point. This will lead you to one of the workflows shown in Figure 2. Below we cover the four paths shown in Figure 2:
  1. copy, Audit Explorer
  2. ae_batch, Audit Explorer
  3. ae_batch, upload script, web server, Audit Explorer
  4. ae_batch, web server, Audit Explorer
Workflow 1: copy, Audit Explorer
The first path across the top has you making a local copy of an audit trail (e.g., from the command line), and then opening that local file in Audit Explorer.
To make a copy of a protected BSM audit trail file, use the Terminal application to look at the audit directory, make a local copy, and then change that local copy to your own user ID.
$ sudo ls -l /var/audit
$ sudo cp /var/audit/20110725141947.20110725165703 .
$ sudo chown bob 20110725141947.20110725165703
Finally, in Audit Explorer you open your local copy of the BSM audit trail file. From the File menu, select
Workflow 2: ae_batch, Audit Explorer
The second path uses ae_batch, the embedded command-line tool, to analyze the BSM audit trail and save the results. Audit Explorer then simply reads the analysis file — a much faster operation.
You can run ae_batch from the command-line (e.g., in Terminal), launch it automatically from launchd, or launch it from your own automated script.
$ sudo ae_batch -src /var/audit -dst ~/Results -filt ~/sample_filter.nsqFilt
Workflow 3: ae_batch, upload script, web server, Audit Explorer
The third path assumes you have your own upload script, perhaps the shell script that initially called ae_path, that uploads the analysis results file to a remote server, perhaps a web server (think of it as an "audit server"). If you use this approach, use ae_batch's -a option to tar and compress the analysis results because the analysis results are actually a bundle (translation: a directory with sub-files).
Then a security administrator can review the uploaded analysis file on the server.
Workflow 4: ae_batch, web server, Audit Explorer
The fourth path, and possibly the simplest if you are responsible for more than one computer, uses ae_batch's ability to upload the analysis results directly to a web server. For example:
$ sudo ae_batch -src /var/audit/ -dst ~/Results/ -filt ~/sample_filter.nsqFilt -curl -curlopts -k
Simply placing a launchd configuration file in /Library/LauchDaemons to call ae_batch at prescribed times or events (e.g., we have it set to launch at boot and whenever a new audit trail file is created) will automatically feed your audit server with analysis results from your machines.
Final Notes
By using the 4th workflow and using a launchd script to automatically launch ae_batch on each machine, it is relatively easy to set up an architecture as shown in Figure 3.

Figure 3: Client Server Architecture

@NetSquared_USA  copyright Net Squared, Inc., 2008-2013