15

I'm running several RHEL based systems which utilize the audit functionality within the 2.6 kernel to track user activity and I need to have these logs sent to centralized SYSLOG servers for monitoring and event correlation. Anyone know how to achieve this?

syn-
  • 483
  • 3
  • 7
  • 10

3 Answers3

18

The most secure and correct method is to use the audispd syslog plugin and/or audisp-remote.

To quickly get it working you can edit /etc/audisp/plugins.d/syslog.conf. RHEL includes this by default, though it is disabled. You need only change one line to enable it, active = yes.

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

But this is not very secure by default; syslog is an insecure protocol at its base, unencrypted, unauthenticated and in its original UDP specification, completely unreliable. It also stores a lot of information in insecure files. The Linux Audit System handles more sensitive information than is usually sent to syslog, hence it's separation. audisp-remote also provides Kerberos authentication and encryption, so it works well as a secure transport. Using audisp-remote, you would send audit messages using audispd to a audisp-remote server running on your central syslog server. The audisp-remote would then use the audispd syslog plugin to feed them into the syslog dameon.

But there are other methods! rsyslog is very robust! rsyslog also offers Kerberos encryption, plus TLS. Just make sure it's configured securely.

lamawithonel
  • 181
  • 1
  • 3
  • Are there any security concerns with having audisp forward to a local rsyslog server, then having the local rsyslog server forward to a remote aggregator rsyslog server (using TLS?) – 2rs2ts Apr 22 '16 at 19:16
10

Edit: 11/17/14

This answer may still work, but in 2014, using the Audisp plugin is the better answer.

If you are running the stock ksyslogd syslog server I don't know how to do this. But there are great instructions for doing it with rsyslog at their Wiki. ( http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log )

I will summarize:

  • On the sending client (rsyslog.conf): 

    # auditd audit.log  
$InputFileName /var/log/audit/audit.log  
$InputFileTag tag_audit_log:  
$InputFileStateFile audit_log  
$InputFileSeverity info  
$InputFileFacility local6  
$InputRunFileMonitor

    Note that the imfile module will need to have been loaded previously in the rsyslog configuration. This is the line responsible for that: 

    $ModLoad imfile

    So check if it's in your rsyslog.conf file. If it's not there, add it under the ### MODULES ### section to enable this module; otherwise, the above configuration for auditd logging will not work.

  • On the receiving server (rsyslog.conf): 

    $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"  
local6.*

Restart the service (service rsyslog restart) on both hosts and you should begin receiving auditd messages.

Community
  • 1
Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
  • Unfortunately, (but for an acceptable reason) syslog is not an output option with auditd, so you have to do it something like this. – Scott Pack Nov 15 '10 at 16:26
  • Just FYI for anyone else setting this up, the config line required for loading imfile is: "$ModLoad imfile" More information on the module can be found here: http://www.rsyslog.com/doc/imfile.html – syn- Nov 15 '10 at 19:23
  • 1
    If your on a production/busy server and sending logs, this is not an efficient way of doing this.. **imfile** utilizes polling, whereby your wasting cpu cycles always for watching the file.. – Arenstar Nov 16 '10 at 03:26
4

You can log directly to syslog using audisp, it's part of Audit package. In Debian (I haven't tried in other distros yet) edit in:

/etc/audisp/plugins.d/syslog.conf

and set active=yes.

Community
  • 1
Diego Woitasen
  • 931
  • 5
  • 11