AlmaLinux 9
Sponsored Link

Auditd : Transfer Logs to Remote Host2023/02/20

 
Configure Auditd to transfer logs to remote host.
This example is based on the environment like follows.
+----------------------+          |          +----------------------+
| [  Auditd Server   ] |10.0.0.30 | 10.0.0.51| [  Auditd Client   ] |
|     dlp.srv.world    +----------+----------+    node01.srv.world  |
|                      |                     |                      |
+----------------------+                     +----------------------+

[1] Configure Auditd Host that receives Audit logs from remote hosts.
[root@dlp ~]#
vi /etc/audit/auditd.conf
# line 27 : uncomment and specify listening port

tcp_listen_port =
60
[root@dlp ~]#
service auditd restart

# fail by [systemctl restart] because of dependency

[2] If Firewalld is running on Audit receiver Host, allow audit service.
[root@dlp ~]#
firewall-cmd --add-service=audit

success
[root@dlp ~]#
firewall-cmd --runtime-to-permanent

success
[3] Configure Auditd Client Host that sends Audit logs.
[root@node01 ~]#
dnf -y install audispd-plugins
[root@node01 ~]#
vi /etc/audit/plugins.d/au-remote.conf
# line 6 : change

active =
yes
[root@node01 ~]#
vi /etc/audit/audisp-remote.conf
# line 6 : remote host to send logs

remote_server =
dlp.srv.world
# line 7 : specify port
# ⇒ the one which remote server is listening

port = 60
[root@node01 ~]#
vi /etc/audit/auditd.conf
# line 9 : change
# ⇒ not record logs on local filesystem

log_format =
NOLOG
[root@node01 ~]#
service auditd restart

[4] That's OK, Audit logs on remote hosts are recorded like follows.
[root@dlp ~]#
grep node01 /var/log/audit/audit.log

type=SOFTWARE_UPDATE msg=audit(1646975987.725:149): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-1.7.0-11.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=node01.srv.world addr=? terminal=ttyS0 res=success'
type=SOFTWARE_UPDATE msg=audit(1646975987.725:150): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-util-bdb-1.6.1-20.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=node01.srv.world addr=? terminal=ttyS0 res=success'
type=SOFTWARE_UPDATE msg=audit(1646975987.725:151): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-util-openssl-1.6.1-20.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=node01.srv.world addr=? terminal=ttyS0 res=success'
.....
.....
Matched Content