Query On configuring Centralized Audit server with Auditd daemon
Hi Folks, Need your help ! Want to configure a centralized Audit server (Currently the centralized server is running Octopussy Web interface, which receives logs from remote hosts by Rsyslog ). The challenge and confusion here is .. all my linux clients are configured with syslog-ng and the daemon is sending all the system logs and kernel logs like messages,secure,cron logs etc ... with out any trouble. The problem is the syslog-ng daemon is not able to send the auidtd logs (/var/log/audit.log) to the Rsyslog server, Hence request your help to guide me how to setup the syslog-ng to forward the audit.log to the remote Rsyslog server. It would be great if i can get client side and server side configuration guidelines. -- Thanks in Advance - Koresh
Hi, you probably need to tell auditd to log to syslog on the client hosts. ----- Original message -----
Hi Folks,
Need your help !
Want to configure a centralized Audit server (Currently the centralized server is running Octopussy Web interface, which receives logs from remote hosts by Rsyslog ).
The challenge and confusion here is .. all my linux clients are configured with syslog-ng and the daemon is sending all the system logs and kernel logs like messages,secure,cron logs etc ... with out any trouble.
The problem is the syslog-ng daemon is not able to send the auidtd logs (/var/log/audit.log) to the Rsyslog server,
Hence request your help to guide me how to setup the syslog-ng to forward the audit.log to the remote Rsyslog server.
It would be great if i can get client side and server side configuration guidelines.
-- Thanks in Advance - Koresh
Hi, Details: Open /etc/audisp/plugins.d/syslog.conf Set active = yes restart auditd With this configuration you do not need to use syslog-ng to read and send content of audit.log. Just forward the syslog as you usually do. Notice that the format of the syslog message will be a bit different: Aug 7 09:00:54 znb06 audispd: node=znb06 type=CWD msg=audit(1344322854.313:1056): cwd="/" vs. Aug 7 09:00:54 znb06 your-tag: type=CWD msg=audit(1344322854.313:1056): cwd="/" Regards, Balazs Vamos LOGalyze.com On 08/07/2012 07:35 AM, Balazs Scheidler wrote:
Hi,
you probably need to tell auditd to log to syslog on the client hosts.
----- Original message -----
Hi Folks,
Need your help !
Want to configure a centralized Audit server (Currently the centralized server is running Octopussy Web interface, which receives logs from remote hosts by Rsyslog ).
The challenge and confusion here is .. all my linux clients are configured with syslog-ng and the daemon is sending all the system logs and kernel logs like messages,secure,cron logs etc ... with out any trouble.
The problem is the syslog-ng daemon is not able to send the auidtd logs (/var/log/audit.log) to the Rsyslog server,
Hence request your help to guide me how to setup the syslog-ng to forward the audit.log to the remote Rsyslog server.
It would be great if i can get client side and server side configuration guidelines.
-- Thanks in Advance - Koresh
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hello , Thank you for your comment but i have tried the same way also but it seems the receiving server is not accepting the connection ... I have no idea how to configure the Octopussy server configured for Rsyslog ... Any one have idea or configured the rsyslog for Octopussy then please help. Below i am pasting the rsyslog server side configuration, and i have enabled the "active=yes" on client Auditd configuration ... kindly look into it once. [root@octopussy ~]# cat /etc/rsyslog.conf ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # #$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf [root@octopussy ~]# cat /etc/rsyslog.d/10-octopussy.conf ######################################### #### GLOBAL DIRECTIVES FOR OCTOPUSSY #### ######################################### $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0750 $Umask 0022 $WorkDirectory /var/lib/octopussy/local/rsyslog $CreateDirs on $MaxMessageSize 8k $ActionQueueMaxDiskSpace 1g $ActionQueueFileName rsyslog $ActionQueueHighWaterMark 250000 $ActionQueueLowWaterMark 200000 $ActionQueueType LinkedList # [FixedArray/LinkedList/Direct/Disk] $ActionQueueSaveOnShutdown on $ActionQueueWorkerThreads 1 # 1 cpu *.* |/var/spool/octopussy/octo_fifo ############### #### RULES #### ############### # Remove all messages from other server :hostname, !isequal, "octopussy" ~ ++++++++++++++++++++++++++++++++++++++++++ On Tue, Aug 7, 2012 at 12:58 PM, Vámos Balázs <vamos.balazs@zuriel.hu>wrote:
Hi,
Details:
Open /etc/audisp/plugins.d/syslog.conf Set active = yes restart auditd
With this configuration you do not need to use syslog-ng to read and send content of audit.log. Just forward the syslog as you usually do.
Notice that the format of the syslog message will be a bit different:
Aug 7 09:00:54 znb06 audispd: node=znb06 type=CWD msg=audit(1344322854.313:1056): cwd="/" vs. Aug 7 09:00:54 znb06 your-tag: type=CWD msg=audit(1344322854.313:1056): cwd="/"
Regards,
Balazs Vamos LOGalyze.com
On 08/07/2012 07:35 AM, Balazs Scheidler wrote:
Hi,
you probably need to tell auditd to log to syslog on the client hosts.
----- Original message -----
Hi Folks,
Need your help !
Want to configure a centralized Audit server (Currently the centralized server is running Octopussy Web interface, which receives logs from remote hosts by Rsyslog ).
The challenge and confusion here is .. all my linux clients are configured with syslog-ng and the daemon is sending all the system logs and kernel logs like messages,secure,cron logs etc ... with out any trouble.
The problem is the syslog-ng daemon is not able to send the auidtd logs (/var/log/audit.log) to the Rsyslog server,
Hence request your help to guide me how to setup the syslog-ng to forward the audit.log to the remote Rsyslog server.
It would be great if i can get client side and server side configuration guidelines.
-- Thanks in Advance - Koresh
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Thanks & Regards, - Koresh
hi, first try to diagnose if audit messages actually make it to the local syslog-ng process (by logging them locally, or using the debug switch for syslog-ng) if they do, then work on what happens with these between syslog-ng & rsyslog, and then between rsyslog and octopussy. ----- Original message -----
Hello ,
Thank you for your comment but i have tried the same way also but it seems the receiving server is not accepting the connection ...
I have no idea how to configure the Octopussy server configured for Rsyslog ... Any one have idea or configured the rsyslog for Octopussy then please help.
Below i am pasting the rsyslog server side configuration, and i have enabled the "active=yes" on client Auditd configuration ... kindly look into it once.
[root@octopussy ~]# cat /etc/rsyslog.conf ################# #### MODULES #### #################
$ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
# provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
########################### #### GLOBAL DIRECTIVES #### ###########################
# # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # #$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755
# # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf [root@octopussy ~]# cat /etc/rsyslog.d/10-octopussy.conf ######################################### #### GLOBAL DIRECTIVES FOR OCTOPUSSY #### #########################################
$FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0750 $Umask 0022 $WorkDirectory /var/lib/octopussy/local/rsyslog $CreateDirs on
$MaxMessageSize 8k
$ActionQueueMaxDiskSpace 1g $ActionQueueFileName rsyslog $ActionQueueHighWaterMark 250000 $ActionQueueLowWaterMark 200000 $ActionQueueType LinkedList # [FixedArray/LinkedList/Direct/Disk] $ActionQueueSaveOnShutdown on $ActionQueueWorkerThreads 1 # 1 cpu
*.* |/var/spool/octopussy/octo_fifo
############### #### RULES #### ###############
# Remove all messages from other server :hostname, !isequal, "octopussy" ~
++++++++++++++++++++++++++++++++++++++++++
On Tue, Aug 7, 2012 at 12:58 PM, Vámos Balázs <vamos.balazs@zuriel.hu>wrote:
Hi,
Details:
Open /etc/audisp/plugins.d/syslog.conf Set active = yes restart auditd
With this configuration you do not need to use syslog-ng to read and send content of audit.log. Just forward the syslog as you usually do.
Notice that the format of the syslog message will be a bit different:
Aug 7 09:00:54 znb06 audispd: node=znb06 type=CWD msg=audit(1344322854.313:1056): cwd="/" vs. Aug 7 09:00:54 znb06 your-tag: type=CWD msg=audit(1344322854.313:1056): cwd="/"
Regards,
Balazs Vamos LOGalyze.com
On 08/07/2012 07:35 AM, Balazs Scheidler wrote:
Hi,
you probably need to tell auditd to log to syslog on the client hosts.
----- Original message -----
Hi Folks,
Need your help !
Want to configure a centralized Audit server (Currently the centralized server is running Octopussy Web interface, which receives logs from remote hosts by Rsyslog ).
The challenge and confusion here is .. all my linux clients are configured with syslog-ng and the daemon is sending all the system logs and kernel logs like messages,secure,cron logs etc ... with out any trouble.
The problem is the syslog-ng daemon is not able to send the auidtd logs (/var/log/audit.log) to the Rsyslog server,
Hence request your help to guide me how to setup the syslog-ng to forward the audit.log to the remote Rsyslog server.
It would be great if i can get client side and server side configuration guidelines.
-- Thanks in Advance - Koresh
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
--
Thanks & Regards,
- Koresh
participants (3)
-
Balazs Scheidler
-
Koresh...
-
Vámos Balázs