Sending audit logs to SYSLOG server

linux syslog redhat audit
83,357

Solution 1

Edit: 11/17/14

This answer may still work, but in 2014, using the Audisp plugin is the better answer.

If you are running the stock ksyslogd syslog server I don't know how to do this. But there are great instructions for doing it with rsyslog at their Wiki. ( http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log )

I will summarize:

  • On the sending client (rsyslog.conf): 

    # auditd audit.log  
$InputFileName /var/log/audit/audit.log  
$InputFileTag tag_audit_log:  
$InputFileStateFile audit_log  
$InputFileSeverity info  
$InputFileFacility local6  
$InputRunFileMonitor

    Note that the imfile module will need to have been loaded previously in the rsyslog configuration. This is the line responsible for that: 

    $ModLoad imfile

    So check if it's in your rsyslog.conf file. If it's not there, add it under the ### MODULES ### section to enable this module; otherwise, the above configuration for auditd logging will not work.

  • On the receiving server (rsyslog.conf): 

    $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"  
local6.*

Restart the service (service rsyslog restart) on both hosts and you should begin receiving auditd messages.

Solution 2

The most secure and correct method is to use the audispd syslog plugin and/or audisp-remote.

To quickly get it working you can edit /etc/audisp/plugins.d/syslog.conf. RHEL includes this by default, though it is disabled. You need only change one line to enable it, active = yes.

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

But this is not very secure by default; syslog is an insecure protocol at its base, unencrypted, unauthenticated and in its original UDP specification, completely unreliable. It also stores a lot of information in insecure files. The Linux Audit System handles more sensitive information than is usually sent to syslog, hence it's separation. audisp-remote also provides Kerberos authentication and encryption, so it works well as a secure transport. Using audisp-remote, you would send audit messages using audispd to a audisp-remote server running on your central syslog server. The audisp-remote would then use the audispd syslog plugin to feed them into the syslog dameon.

But there are other methods! rsyslog is very robust! rsyslog also offers Kerberos encryption, plus TLS. Just make sure it's configured securely.

Solution 3

You can log directly to syslog using audisp, it's part of Audit package. In Debian (I haven't tried in other distros yet) edit in:

/etc/audisp/plugins.d/syslog.conf

and set active=yes.

Share:
83,357

Related videos on Youtube

syn-
Author by

syn-

Updated on September 17, 2022

Comments

  • syn-
    syn- almost 2 years

    I'm running several RHEL based systems which utilize the audit functionality within the 2.6 kernel to track user activity and I need to have these logs sent to centralized SYSLOG servers for monitoring and event correlation. Anyone know how to achieve this?

    • Scott Pack
      Scott Pack over 13 years
      As an aside, I recommend checking out the CIS Benchmark for RHEL 5.0/5.1 for some advice on making auditd more useful.
    • Aaron Copley
      Aaron Copley over 13 years
      @packs - Do you have a link handy? I'm interested..
    • Scott Pack
      Scott Pack over 13 years
      @Aaron - You can start here cisecurity.org/en-us/?route=downloads.multiform. Unless your organization is a member, you'll accept the license.
  • Scott Pack
    Scott Pack over 13 years
    Unfortunately, (but for an acceptable reason) syslog is not an output option with auditd, so you have to do it something like this.
  • syn-
    syn- over 13 years
    Just FYI for anyone else setting this up, the config line required for loading imfile is: "$ModLoad imfile" More information on the module can be found here: rsyslog.com/doc/imfile.html
  • Arenstar
    Arenstar over 13 years
    If your on a production/busy server and sending logs, this is not an efficient way of doing this.. imfile utilizes polling, whereby your wasting cpu cycles always for watching the file..
  • 2rs2ts
    2rs2ts about 8 years
    Are there any security concerns with having audisp forward to a local rsyslog server, then having the local rsyslog server forward to a remote aggregator rsyslog server (using TLS?)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Script to delete files older than 30days
python No module named ujson, while it's already installed
When and Why run alternatives --install java jar javac javaws on installing jdk in linux
/usr/bin/ld: attempted static link of dynamic object `/usr/lib64/libm.so'
CentOS use SNMP to show interface useage
PHP - Unable to load dynamic library '/usr/lib64/php/modules/
cannot find syslog.h on windows
Changing temporary file folder location in linux (for everything on the system)?
RedHat yum subversion installation
How to find the RAM size in Red Hat Linux Server?