Sending audit logs to SYSLOG server

Question

I'm running several RHEL based systems which utilize the audit functionality within the 2.6 kernel to track user activity and I need to have these logs sent to centralized SYSLOG servers for monitoring and event correlation. Anyone know how to achieve this?

Answer 1

The most secure and correct method is to use the audispd syslog plugin and/or audisp-remote.

To quickly get it working you can edit /etc/audisp/plugins.d/syslog.conf. RHEL includes this by default, though it is disabled. You need only change one line to enable it, active = yes.

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string

But this is not very secure by default; syslog is an insecure protocol at its base, unencrypted, unauthenticated and in its original UDP specification, completely unreliable. It also stores a lot of information in insecure files. The Linux Audit System handles more sensitive information than is usually sent to syslog, hence it's separation. audisp-remote also provides Kerberos authentication and encryption, so it works well as a secure transport. Using audisp-remote, you would send audit messages using audispd to a audisp-remote server running on your central syslog server. The audisp-remote would then use the audispd syslog plugin to feed them into the syslog dameon.

But there are other methods! rsyslog is very robust! rsyslog also offers Kerberos encryption, plus TLS. Just make sure it's configured securely.

Answer 2

Edit: 11/17/14

This answer may still work, but in 2014, using the Audisp plugin is the better answer.

---

If you are running the stock ksyslogd syslog server I don't know how to do this. But there are great instructions for doing it with rsyslog at their Wiki. ( http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log )

I will summarize:

• On the sending client (rsyslog.conf):

  # auditd audit.log  
  $InputFileName /var/log/audit/audit.log  
  $InputFileTag tag_audit_log:  
  $InputFileStateFile audit_log  
  $InputFileSeverity info  
  $InputFileFacility local6  
  $InputRunFileMonitor
  

  Note that the imfile module will need to have been loaded previously in the rsyslog configuration. This is the line responsible for that:

  $ModLoad imfile

  So check if it's in your rsyslog.conf file. If it's not there, add it under the ### MODULES ### section to enable this module; otherwise, the above configuration for auditd logging will not work.

• On the receiving server (rsyslog.conf):

  $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"  
  local6.*
  

Restart the service (service rsyslog restart) on both hosts and you should begin receiving auditd messages.

Answer 3

You can log directly to syslog using audisp, it's part of Audit package. In Debian (I haven't tried in other distros yet) edit in:

/etc/audisp/plugins.d/syslog.conf

and set active=yes.