Linux – Sending audit logs to SYSLOG server

auditlinuxredhatsyslog

I'm running several RHEL based systems which utilize the audit functionality within the 2.6 kernel to track user activity and I need to have these logs sent to centralized SYSLOG servers for monitoring and event correlation. Anyone know how to achieve this?

Best Answer

Edit: 11/17/14

This answer may still work, but in 2014, using the Audisp plugin is the better answer.


If you are running the stock ksyslogd syslog server I don't know how to do this. But there are great instructions for doing it with rsyslog at their Wiki. ( http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log )

I will summarize:

  • On the sending client (rsyslog.conf):

    # auditd audit.log  
    $InputFileName /var/log/audit/audit.log  
    $InputFileTag tag_audit_log:  
    $InputFileStateFile audit_log  
    $InputFileSeverity info  
    $InputFileFacility local6  
    $InputRunFileMonitor
    

    Note that the imfile module will need to have been loaded previously in the rsyslog configuration. This is the line responsible for that:

    $ModLoad imfile

    So check if it's in your rsyslog.conf file. If it's not there, add it under the ### MODULES ### section to enable this module; otherwise, the above configuration for auditd logging will not work.

  • On the receiving server (rsyslog.conf):

    $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"  
    local6.*
    

Restart the service (service rsyslog restart) on both hosts and you should begin receiving auditd messages.

Related Topic