Hi, Details: Open /etc/audisp/plugins.d/syslog.conf Set active = yes restart auditd With this configuration you do not need to use syslog-ng to read and send content of audit.log. Just forward the syslog as you usually do. Notice that the format of the syslog message will be a bit different: Aug 7 09:00:54 znb06 audispd: node=znb06 type=CWD msg=audit(1344322854.313:1056): cwd="/" vs. Aug 7 09:00:54 znb06 your-tag: type=CWD msg=audit(1344322854.313:1056): cwd="/" Regards, Balazs Vamos LOGalyze.com On 08/07/2012 07:35 AM, Balazs Scheidler wrote:
Hi,
you probably need to tell auditd to log to syslog on the client hosts.
----- Original message -----
Hi Folks,
Need your help !
Want to configure a centralized Audit server (Currently the centralized server is running Octopussy Web interface, which receives logs from remote hosts by Rsyslog ).
The challenge and confusion here is .. all my linux clients are configured with syslog-ng and the daemon is sending all the system logs and kernel logs like messages,secure,cron logs etc ... with out any trouble.
The problem is the syslog-ng daemon is not able to send the auidtd logs (/var/log/audit.log) to the Rsyslog server,
Hence request your help to guide me how to setup the syslog-ng to forward the audit.log to the remote Rsyslog server.
It would be great if i can get client side and server side configuration guidelines.
-- Thanks in Advance - Koresh
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq