Solaris BSM Connector to audit single directory
Does any one used Solaris BSM Syslog Connector to audit single directory on a Solaris server instead of collecting all file audit events from that Server.
It is up to the configuration capabilities of Solaris BSM audit to audit a single directory and not the whole server. Whether or not BSM auditing can be configured for a single directory vs the entire server is a Solaris/Oracle question, not an ArcSight/HPE question. The BSM audit system is tightly integrated with the Solaris kernel.
The ArcSight connector will accept BSM audit logs regardless of one directory or entire server.
It is possible to use filtering on the connector to only deal with events for a particular directory, but that is probably not what you want to do.