Sending audit logs to SYSLOG server
Solution 1
Edit: 11/17/14
This answer may still work, but in 2014, using the Audisp plugin is the better answer.
If you are running the stock ksyslogd syslog server I don't know how to do this. But there are great instructions for doing it with rsyslog at their Wiki. ( http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log )
I will summarize:
-
On the sending client (
rsyslog.conf
):#
auditd audit.log $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $InputRunFileMonitorNote that the
imfile
module will need to have been loaded previously in the rsyslog configuration. This is the line responsible for that:$ModLoad imfile
So check if it's in your
rsyslog.conf
file. If it's not there, add it under the### MODULES ###
section to enable this module; otherwise, the above configuration for auditd logging will not work. -
On the receiving server (
rsyslog.conf
):$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log" local6.*
Restart the service (service rsyslog restart
) on both hosts and you should begin receiving auditd
messages.
Solution 2
The most secure and correct method is to use the audispd syslog plugin and/or audisp-remote.
To quickly get it working you can edit /etc/audisp/plugins.d/syslog.conf. RHEL includes this by default, though it is disabled. You need only change one line to enable it, active = yes.
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
But this is not very secure by default; syslog is an insecure protocol at its base, unencrypted, unauthenticated and in its original UDP specification, completely unreliable. It also stores a lot of information in insecure files. The Linux Audit System handles more sensitive information than is usually sent to syslog, hence it's separation. audisp-remote also provides Kerberos authentication and encryption, so it works well as a secure transport. Using audisp-remote, you would send audit messages using audispd to a audisp-remote server running on your central syslog server. The audisp-remote would then use the audispd syslog plugin to feed them into the syslog dameon.
But there are other methods! rsyslog is very robust! rsyslog also offers Kerberos encryption, plus TLS. Just make sure it's configured securely.
Solution 3
You can log directly to syslog using audisp, it's part of Audit package. In Debian (I haven't tried in other distros yet) edit in:
/etc/audisp/plugins.d/syslog.conf
and set active=yes
.
Related videos on Youtube
syn-
Updated on September 17, 2022Comments
-
syn- almost 2 years
I'm running several RHEL based systems which utilize the audit functionality within the 2.6 kernel to track user activity and I need to have these logs sent to centralized SYSLOG servers for monitoring and event correlation. Anyone know how to achieve this?
-
Scott Pack over 13 yearsAs an aside, I recommend checking out the CIS Benchmark for RHEL 5.0/5.1 for some advice on making auditd more useful.
-
Aaron Copley over 13 years@packs - Do you have a link handy? I'm interested..
-
Scott Pack over 13 years@Aaron - You can start here cisecurity.org/en-us/?route=downloads.multiform. Unless your organization is a member, you'll accept the license.
-
-
Scott Pack over 13 yearsUnfortunately, (but for an acceptable reason) syslog is not an output option with auditd, so you have to do it something like this.
-
syn- over 13 yearsJust FYI for anyone else setting this up, the config line required for loading imfile is: "$ModLoad imfile" More information on the module can be found here: rsyslog.com/doc/imfile.html
-
Arenstar over 13 yearsIf your on a production/busy server and sending logs, this is not an efficient way of doing this.. imfile utilizes polling, whereby your wasting cpu cycles always for watching the file..
-
2rs2ts about 8 yearsAre there any security concerns with having audisp forward to a local rsyslog server, then having the local rsyslog server forward to a remote aggregator rsyslog server (using TLS?)