Rsyslog and Remote Audit Logging

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


Rsyslog and Remote Audit Logging

Postby LuckyLeavell » Tue Jun 16, 2015 8:58 pm

I read the following article in the Rsyslog Wiki:

http://wiki.rsyslog.com/index.php/Centr ... _audit_log

Questions:

1. Do the rsyslog changes in the first part of the article do the same thing as the audisp-remote logging toward the end of the article? In other words do I need one or the other but not both to do remote audit logging?

2. Concerning the note on the SELinux affecting doing the rsyslog audit logging on RHEL6, why not add a SELinux policy to allow rsyslog to read the /var/log/audit/audit.log files?

I am using both RHEL5 and RHEL6.

Thank you,
Lucky
LuckyLeavell
New
 
Posts: 1
Joined: Tue Jun 16, 2015 8:39 pm

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: Rsyslog and Remote Audit Logging

Postby dlang » Tue Jun 16, 2015 9:08 pm

you could modify the SELinux policy to allow access to the files.

reading from the files and having auditd send to rsyslog are two different ways of doing the same thing. I prefer to have things delivered to rsyslog rather than having them written to disk and then scraped from disk later (less I/O and load on the system to do direct)
dlang
Frequent Poster
 
Posts: 1001
Joined: Mon Sep 15, 2008 7:44 am

Re: Rsyslog and Remote Audit Logging

Postby leonidas » Wed May 24, 2017 7:23 pm

Good morning to all. I have a related question here, David. I read your comment and am wondering if you could clarify on your last statement about preferring to get them to rsyslog rather than...) I am looking at configuring audisp to write logs to rsyslog I want to leave the audit file alone as a separate file on the server; I just want to convert those messages to rsyslog messages so I can process them/forward them with my existing rulesets. I have seen this:

/etc/audisp/plugins.d/syslog.conf

Auditd to syslog plugin facility settings

The Audisp plugin will send auditd data to syslog by default to the user facility. You can change this however.

cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

Questions:

1. If I turn this file on, will the fileoutput be dropped into the imuxsock stream so they will be picked up by any rsyslog configuration commands I use? (i.e., rulesets/templates for forwarding)

2. Will the audit messages still be written to the /var/log/audit/audit.log as they are today? I want to leave this alone. I am just looking for the equivalent messages in syslog form to show up as input to rsyslog for processing.

3. The file makes reference to being able to set a default priority, but it doesn't show a parameter for this.

Any suggestions on how to do this would be much appreciated.

Best regards,


L
leonidas
Avarage
 
Posts: 23
Joined: Wed Aug 31, 2016 8:58 pm

Google Ads



Return to Configuration

Who is online

Users browsing this forum: No registered users and 1 guest

cron