<br>Hello ,<br><br>Thank you for your comment but i have tried the same way also but it seems the receiving server is not accepting the connection ...<br><br>I have no idea how to configure the Octopussy server configured for Rsyslog ... Any one have idea or configured the rsyslog for Octopussy then please help.<br>
<br>Below i am pasting the rsyslog server side configuration, and i have enabled the "active=yes" on client Auditd configuration ... kindly look into it once.<br><br><br>[root@octopussy ~]# cat /etc/rsyslog.conf<br>
#################<br>#### MODULES ####<br>#################<br><br>$ModLoad imuxsock # provides support for local system logging<br>$ModLoad imklog # provides kernel logging support (previously done by rklogd)<br>#$ModLoad immark # provides --MARK-- message capability<br>
<br># provides UDP syslog reception<br>$ModLoad imudp<br>$UDPServerRun 514<br><br># provides TCP syslog reception<br>$ModLoad imtcp<br>$InputTCPServerRun 514<br><br><br>###########################<br>#### GLOBAL DIRECTIVES ####<br>
###########################<br><br>#<br># Use traditional timestamp format.<br># To enable high precision timestamps, comment out the following line.<br>#<br>#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat<br><br>
#<br># Set the default permissions for all log files.<br>#<br>$FileOwner root<br>$FileGroup adm<br>$FileCreateMode 0640<br>$DirCreateMode 0755<br><br>#<br># Include all config files in /etc/rsyslog.d/<br>#<br>$IncludeConfig /etc/rsyslog.d/*.conf<br>
[root@octopussy ~]# cat /etc/rsyslog.d/10-octopussy.conf<br>#########################################<br>#### GLOBAL DIRECTIVES FOR OCTOPUSSY ####<br>#########################################<br><br>$FileOwner root<br>$FileGroup adm<br>
$FileCreateMode 0640<br>$DirCreateMode 0750<br>$Umask 0022<br>$WorkDirectory /var/lib/octopussy/local/rsyslog<br>$CreateDirs on<br><br>$MaxMessageSize 8k<br><br>$ActionQueueMaxDiskSpace 1g<br>$ActionQueueFileName rsyslog<br>
$ActionQueueHighWaterMark 250000<br>$ActionQueueLowWaterMark 200000<br>$ActionQueueType LinkedList # [FixedArray/LinkedList/Direct/Disk]<br>$ActionQueueSaveOnShutdown on<br>$ActionQueueWorkerThreads 1 # 1 cpu<br><br>*.* |/var/spool/octopussy/octo_fifo<br>
<br><br>###############<br>#### RULES ####<br>###############<br><br># Remove all messages from other server<br>:hostname, !isequal, "octopussy" ~<br><br>++++++++++++++++++++++++++++++++++++++++++<br><br><br><div class="gmail_quote">
On Tue, Aug 7, 2012 at 12:58 PM, Vámos Balázs <span dir="ltr"><<a href="mailto:vamos.balazs@zuriel.hu" target="_blank">vamos.balazs@zuriel.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi,<br>
<br>
Details:<br>
<br>
Open /etc/audisp/plugins.d/syslog.conf<br>
Set active = yes<br>
restart auditd<br>
<br>
With this configuration you do not need to use syslog-ng to read and<br>
send content of audit.log. Just forward the syslog as you usually do.<br>
<br>
<br>
Notice that the format of the syslog message will be a bit different:<br>
<br>
Aug 7 09:00:54 znb06 audispd: node=znb06 type=CWD<br>
msg=audit(1344322854.313:1056): cwd="/"<br>
vs.<br>
Aug 7 09:00:54 znb06 your-tag: type=CWD<br>
msg=audit(1344322854.313:1056): cwd="/"<br>
<br>
<br>
Regards,<br>
<br>
Balazs Vamos<br>
LOGalyze.com<br>
<div><div class="h5"><br>
<br>
On 08/07/2012 07:35 AM, Balazs Scheidler wrote:<br>
><br>
> Hi,<br>
><br>
> you probably need to tell auditd to log to syslog on the client hosts.<br>
><br>
><br>
> ----- Original message -----<br>
> > Hi Folks,<br>
> ><br>
> > Need your help !<br>
> ><br>
> > Want to configure a centralized Audit server (Currently the centralized<br>
> > server is running Octopussy Web interface, which receives logs from<br>
> > remote hosts by Rsyslog ).<br>
> ><br>
> > The challenge and confusion here is .. all my linux clients are<br>
> > configured with syslog-ng and the daemon is sending all the system logs<br>
> > and kernel logs like messages,secure,cron logs etc ... with out any<br>
> > trouble.<br>
> ><br>
> > The problem is the syslog-ng daemon is not able to send the auidtd logs<br>
> > (/var/log/audit.log) to the Rsyslog server,<br>
> ><br>
> > Hence request your help to guide me how to setup the syslog-ng to<br>
> forward<br>
> > the audit.log to the remote Rsyslog server.<br>
> ><br>
> > It would be great if i can get client side and server side<br>
> configuration<br>
> > guidelines.<br>
> ><br>
> > --<br>
> > Thanks in Advance<br>
> > - Koresh<br>
><br>
><br>
><br>
</div></div>> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br><br clear="all"><br>-- <br><div><br></div>
<div><br></div>
<div><span style="font-family:'Times New Roman',serif;font-size:13px;border-collapse:collapse">Thanks & Regards,</span></div><span style="font-family:arial,sans-serif;font-size:13px;border-collapse:collapse"><p style="margin-top:0in;margin-right:0in;margin-bottom:0pt;margin-left:0in;line-height:normal">
<span style="font-family:'Times New Roman',serif"></span></p><p style="margin-top:0in;margin-right:0in;margin-bottom:0pt;margin-left:0in;line-height:normal"><span style="font-family:'Times New Roman',serif">- Koresh</span></p>
</span><span style="font-family:'Times New Roman',serif;font-size:13px;border-collapse:collapse"></span><br><br>