[syslog-ng] Query On configuring Centralized Audit server with Auditd daemon

Koresh... koreshkumar at gmail.com
Tue Aug 7 12:36:29 CEST 2012


Hello ,

Thank you for your comment but i have tried the same way also but it seems
the receiving server is not accepting the connection ...

I have no idea how to configure the Octopussy server configured for Rsyslog
... Any one have idea or configured the rsyslog for Octopussy then please
help.

Below i am pasting the rsyslog server side configuration, and i have
enabled the "active=yes" on client Auditd configuration ... kindly look
into it once.


[root at octopussy ~]# cat /etc/rsyslog.conf
#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support (previously done by
rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
[root at octopussy ~]# cat /etc/rsyslog.d/10-octopussy.conf
#########################################
#### GLOBAL DIRECTIVES FOR OCTOPUSSY ####
#########################################

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0750
$Umask 0022
$WorkDirectory /var/lib/octopussy/local/rsyslog
$CreateDirs on

$MaxMessageSize 8k

$ActionQueueMaxDiskSpace 1g
$ActionQueueFileName rsyslog
$ActionQueueHighWaterMark 250000
$ActionQueueLowWaterMark 200000
$ActionQueueType LinkedList # [FixedArray/LinkedList/Direct/Disk]
$ActionQueueSaveOnShutdown on
$ActionQueueWorkerThreads 1 # 1 cpu

*.* |/var/spool/octopussy/octo_fifo


###############
#### RULES ####
###############

# Remove all messages from other server
:hostname, !isequal, "octopussy" ~

++++++++++++++++++++++++++++++++++++++++++


On Tue, Aug 7, 2012 at 12:58 PM, Vámos Balázs <vamos.balazs at zuriel.hu>wrote:

> Hi,
>
> Details:
>
> Open /etc/audisp/plugins.d/syslog.conf
> Set active = yes
> restart auditd
>
> With this configuration you do not need to use syslog-ng to read and
> send content of audit.log. Just forward the syslog as you usually do.
>
>
> Notice that the format of the syslog message will be a bit different:
>
> Aug  7 09:00:54 znb06 audispd: node=znb06 type=CWD
> msg=audit(1344322854.313:1056):  cwd="/"
> vs.
> Aug  7 09:00:54 znb06 your-tag: type=CWD
> msg=audit(1344322854.313:1056):  cwd="/"
>
>
> Regards,
>
> Balazs Vamos
> LOGalyze.com
>
>
> On 08/07/2012 07:35 AM, Balazs Scheidler wrote:
> >
> > Hi,
> >
> > you probably need to tell auditd to log to syslog on the client hosts.
> >
> >
> > ----- Original message -----
> > > Hi Folks,
> > >
> > > Need your help !
> > >
> > > Want to configure a centralized Audit server (Currently the centralized
> > > server is running Octopussy Web interface,  which receives logs from
> > > remote hosts by Rsyslog ).
> > >
> > > The challenge and confusion here is .. all my linux clients are
> > > configured with syslog-ng and the daemon is sending all the system logs
> > > and kernel logs like messages,secure,cron logs etc ... with out any
> > > trouble.
> > >
> > > The problem is the syslog-ng daemon is not able to send the auidtd logs
> > > (/var/log/audit.log) to the Rsyslog server,
> > >
> > > Hence request your help to guide me how to setup the syslog-ng to
> > forward
> > > the audit.log to the remote Rsyslog server.
> > >
> > > It would be great if i can get client side and server side
> > configuration
> > > guidelines.
> > >
> > > --
> > > Thanks in Advance
> > > - Koresh
> >
> >
> >
> >
> ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> >
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>


-- 


Thanks & Regards,

- Koresh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120807/d21b6509/attachment.htm 


More information about the syslog-ng mailing list