[syslog-ng] Query On configuring Centralized Audit server with Auditd daemon
Vámos Balázs
vamos.balazs at zuriel.hu
Tue Aug 7 09:28:29 CEST 2012
Hi,
Details:
Open /etc/audisp/plugins.d/syslog.conf
Set active = yes
restart auditd
With this configuration you do not need to use syslog-ng to read and
send content of audit.log. Just forward the syslog as you usually do.
Notice that the format of the syslog message will be a bit different:
Aug 7 09:00:54 znb06 audispd: node=znb06 type=CWD
msg=audit(1344322854.313:1056): cwd="/"
vs.
Aug 7 09:00:54 znb06 your-tag: type=CWD
msg=audit(1344322854.313:1056): cwd="/"
Regards,
Balazs Vamos
LOGalyze.com
On 08/07/2012 07:35 AM, Balazs Scheidler wrote:
>
> Hi,
>
> you probably need to tell auditd to log to syslog on the client hosts.
>
>
> ----- Original message -----
> > Hi Folks,
> >
> > Need your help !
> >
> > Want to configure a centralized Audit server (Currently the centralized
> > server is running Octopussy Web interface, which receives logs from
> > remote hosts by Rsyslog ).
> >
> > The challenge and confusion here is .. all my linux clients are
> > configured with syslog-ng and the daemon is sending all the system logs
> > and kernel logs like messages,secure,cron logs etc ... with out any
> > trouble.
> >
> > The problem is the syslog-ng daemon is not able to send the auidtd logs
> > (/var/log/audit.log) to the Rsyslog server,
> >
> > Hence request your help to guide me how to setup the syslog-ng to
> forward
> > the audit.log to the remote Rsyslog server.
> >
> > It would be great if i can get client side and server side
> configuration
> > guidelines.
> >
> > --
> > Thanks in Advance
> > - Koresh
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
More information about the syslog-ng
mailing list