2

Trying to forward only my auditd events by syslog, but I don't know which facility to use. I don't want to send everything to my syslog server as it would create redundancy in logging. I've set the audispd syslog plugin to active and from what I understand that should make auditd use syslog for logging the events. Now all I have to do is set the correct facility for auditd's events to forward to my logging server.

Please let me know if I'm mistaken on how this should be done. *I'm trying this on a box CentOS 7

ThunderJack
  • 31
  • 1
  • 1
  • 5

3 Answers3

3

Auditd to syslog plugin facility settings

The Audisp plugin will send auditd data to syslog by default to the user facility. You can change this however.

cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.

active = yes
direction = out
path = builtin_syslog
type = builtin 
args = LOG_INFO
format = string

The key there being Valid options are LOG_LOCAL0 through 7 so you can adjust this to your needs. On my system, they are the above default settings and I get auditd messages in the user facility logs.

Aaron
  • 2,809
  • 2
  • 11
  • 29
  • Where did you get that information from? It looks like the facility is LOG_INFO in your example. – SeligkeitIstInGott May 18 '17 at 19:28
  • From the config file itself. `/etc/audisp/plugins.d/syslog.conf` The file has since updated in a yum update to say `Valid options are LOG_LOCAL0 through 7, LOG_AUTH, LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.` – Aaron May 18 '17 at 20:35
  • Gotcha. My system (RHEL based) doesn't mention anything other than the LOG_LOCAL options in the syslog.conf file comments. Either it's really old or perhaps syslog.conf looks different on different distros depending on the version included in the installer package (rpm, deb, whatever) or if it had been customized for a certain distro. – SeligkeitIstInGott May 19 '17 at 19:57
  • My example is from CentOS7.3 which should match `/etc/audisp/plugins.d/syslog.conf` on RHEL7 update 3. – Aaron May 20 '17 at 01:00
1

My reason for using this configuration is because the au-remote plugin was unreliable, and drops a lot of messages. It also floods my system logs with errors as a result. I also wanted to keep the forwarded auditing logs separate on the aggregation server.

First, configure the syslog plugin :

active = yes
direction = out
path = builtin_syslog
type = builtin 
args = LOG_INFO LOG_LOCAL6

Note that there are two arguments for args, the priority and the facility. The LOG_INFO priority means to send all messages that are info or more severe. The facility is basically the rsyslog channel that the audit dispatcher should route the messages into. It can be any of the valid options listed in the documentation for the syslog plugin. I'm just using LOG_LOCAL6 because it's not being used by any other applications in my system, and I want to keep the audit logs separate.

Edit /etc/audisp/plugins.d/au-remote.conf to disable the au-remote plugin:

active = no

The documentation for the syslog plugin recommends the following:

If you are aggregating multiple machines, you should edit auditd.conf to set the name_format to something meaningful and the log_format to enriched. This way you can tell where the event came from and have the user name and groups resolved locally before it is sent off of the machine.

So I used these settings:

NAME_FORMAT = HOSTNAME
LOG_FORMAT = ENRICHED

The audit logs are already being written locally to /etc/audit, so there's no need to edit /etc/rsyslog.conf, and tell it to write the local6 messages from the audit dispatcher to a file. You just need to make sure you have rsyslog configured for forwarding, and the messages will go to the aggregation server.

If you only want the audit messages to be forwarded, do the following in /etc/rsyslog.conf, and restart rsyslog.service:

local6.* @@logs.example.com:514

Restart the audit daemon to apply the settings (don't use systemctl restart):

service restart auditd

Then, on your log aggregation server, edit /etc/rsyslog.conf to write the incoming messages to a dedicated file:

local6*                /var/log/auditd-forwarded

Finally, add this log to the log rotation schedule in /etc/logrotate.d/syslog (on the aggregation server):

/var/log/spooler
/var/log/auditd-forwarded
{
    missingok

Note: You can optionally put the logrotate configuration in its own file.

This has been verified to work on CentOS 7.

orodbhen
  • 161
  • 8
0

I was confused about the key and value thing in this file, so here is a working config for me:- (system used : Ubuntu 16.04) /etc/audisp/plugins.d/syslog.conf

active = yes
direction = out
path = builtin_syslog
type = builtin 
args = LOG_LOCAL6    #send log to local6 facility

Edit rsyslog configuration to save the auditd log 

/etc/rsyslog.d/50-default.conf
local6.*     @@192.168.8.147:6161    #send local6 log to central log server listening on tcp port 6161

# To save local6 to file
local6.*    /tmp/auditd.log
sherpaurgen
  • 608
  • 3
  • 10
  • 26