[syslog-ng] Query On configuring Centralized Audit server with Auditd daemon

Balazs Scheidler bazsi77 at gmail.com
Thu Aug 9 19:51:08 CEST 2012 

hi,

first try to diagnose if audit messages actually make it to the local syslog-ng process (by logging them locally, or using the debug switch for syslog-ng)

if they do, then work on what happens with these between syslog-ng & rsyslog, and then between rsyslog and octopussy.

----- Original message -----
> Hello ,
> 
> Thank you for your comment but i have tried the same way also but it
> seems the receiving server is not accepting the connection ...
> 
> I have no idea how to configure the Octopussy server configured for
> Rsyslog ... Any one have idea or configured the rsyslog for Octopussy
> then please help.
> 
> Below i am pasting the rsyslog server side configuration, and i have
> enabled the "active=yes" on client Auditd configuration ... kindly look
> into it once.
> 
> 
> [root at octopussy ~]# cat /etc/rsyslog.conf
> #################
> #### MODULES ####
> #################
> 
> $ModLoad imuxsock # provides support for local system logging
> $ModLoad imklog     # provides kernel logging support (previously done by
> rklogd)
> #$ModLoad immark   # provides --MARK-- message capability
> 
> # provides UDP syslog reception
> $ModLoad imudp
> $UDPServerRun 514
> 
> # provides TCP syslog reception
> $ModLoad imtcp
> $InputTCPServerRun 514
> 
> 
> ###########################
> #### GLOBAL DIRECTIVES ####
> ###########################
> 
> #
> # Use traditional timestamp format.
> # To enable high precision timestamps, comment out the following line.
> #
> #$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
> 
> #
> # Set the default permissions for all log files.
> #
> $FileOwner root
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0755
> 
> #
> # Include all config files in /etc/rsyslog.d/
> #
> $IncludeConfig /etc/rsyslog.d/*.conf
> [root at octopussy ~]# cat /etc/rsyslog.d/10-octopussy.conf
> #########################################
> #### GLOBAL DIRECTIVES FOR OCTOPUSSY ####
> #########################################
> 
> $FileOwner root
> $FileGroup adm
> $FileCreateMode 0640
> $DirCreateMode 0750
> $Umask 0022
> $WorkDirectory /var/lib/octopussy/local/rsyslog
> $CreateDirs on
> 
> $MaxMessageSize 8k
> 
> $ActionQueueMaxDiskSpace 1g
> $ActionQueueFileName rsyslog
> $ActionQueueHighWaterMark 250000
> $ActionQueueLowWaterMark 200000
> $ActionQueueType LinkedList # [FixedArray/LinkedList/Direct/Disk]
> $ActionQueueSaveOnShutdown on
> $ActionQueueWorkerThreads 1 # 1 cpu
> 
> *.* |/var/spool/octopussy/octo_fifo
> 
> 
> ###############
> #### RULES ####
> ###############
> 
> # Remove all messages from other server
> :hostname, !isequal, "octopussy" ~
> 
> ++++++++++++++++++++++++++++++++++++++++++
> 
> 
> On Tue, Aug 7, 2012 at 12:58 PM, Vámos Balázs
> <vamos.balazs at zuriel.hu>wrote:
> 
> > Hi,
> > 
> > Details:
> > 
> > Open /etc/audisp/plugins.d/syslog.conf
> > Set active = yes
> > restart auditd
> > 
> > With this configuration you do not need to use syslog-ng to read and
> > send content of audit.log. Just forward the syslog as you usually do.
> > 
> > 
> > Notice that the format of the syslog message will be a bit different:
> > 
> > Aug   7 09:00:54 znb06 audispd: node=znb06 type=CWD
> > msg=audit(1344322854.313:1056):   cwd="/"
> > vs.
> > Aug   7 09:00:54 znb06 your-tag: type=CWD
> > msg=audit(1344322854.313:1056):   cwd="/"
> > 
> > 
> > Regards,
> > 
> > Balazs Vamos
> > LOGalyze.com
> > 
> > 
> > On 08/07/2012 07:35 AM, Balazs Scheidler wrote:
> > > 
> > > Hi,
> > > 
> > > you probably need to tell auditd to log to syslog on the client
> > > hosts.
> > > 
> > > 
> > > ----- Original message -----
> > > > Hi Folks,
> > > > 
> > > > Need your help !
> > > > 
> > > > Want to configure a centralized Audit server (Currently the
> > > > centralized server is running Octopussy Web interface,   which
> > > > receives logs from remote hosts by Rsyslog ).
> > > > 
> > > > The challenge and confusion here is .. all my linux clients are
> > > > configured with syslog-ng and the daemon is sending all the system
> > > > logs and kernel logs like messages,secure,cron logs etc ... with
> > > > out any trouble.
> > > > 
> > > > The problem is the syslog-ng daemon is not able to send the auidtd
> > > > logs (/var/log/audit.log) to the Rsyslog server,
> > > > 
> > > > Hence request your help to guide me how to setup the syslog-ng to
> > > forward
> > > > the audit.log to the remote Rsyslog server.
> > > > 
> > > > It would be great if i can get client side and server side
> > > configuration
> > > > guidelines.
> > > > 
> > > > --
> > > > Thanks in Advance
> > > > - Koresh
> > > 
> > > 
> > > 
> > > 
> > ______________________________________________________________________________
> > > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > > 
> > 
> > 
> > ______________________________________________________________________________
> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
> > 
> > 
> 
> 
> -- 
> 
> 
> Thanks & Regards,
> 
> - Koresh

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120809/725f0c74/attachment.htm

More information about the syslog-ng mailing list