Rocky_Linux_8
Sponsored Link

Auditd : Transfer Logs to Remote Host2021/07/22

 
Configure Auditd to transfer logs to remote host.
This example is based on the environment like follows.
+----------------------+          |          +----------------------+
| [  Auditd Server   ] |10.0.0.30 | 10.0.0.51| [  Auditd Client   ] |
|     dlp.srv.world    +----------+----------+    node01.srv.world  |
|                      |                     |                      |
+----------------------+                     +----------------------+

[1] Configure Auditd Host that receives Audit logs from remote hosts.
[root@dlp ~]#
vi /etc/audit/auditd.conf
# line 27 : uncomment and specify listening port

tcp_listen_port =
60
[root@dlp ~]#
service auditd restart

# if use [systemctl restart], it fails for dependency

[2] If Firewalld is running on Audit receiver Host, allow audit service.
[root@dlp ~]#
firewall-cmd --add-service=audit

success
[root@dlp ~]#
firewall-cmd --runtime-to-permanent

success
[3] Configure Auditd Client Host that sends Audit logs.
[root@node01 ~]#
dnf -y install audispd-plugins
[root@node01 ~]#
vi /etc/audit/plugins.d/au-remote.conf
# line 6 : change

active =
yes
[root@node01 ~]#
vi /etc/audit/audisp-remote.conf
# line 6 : remote host to send logs

remote_server =
dlp.srv.world
# line 7 : specify port (the one which remote server is just listening)

port = 60
[root@node01 ~]#
vi /etc/audit/auditd.conf
# line 9 : change (not record logs on local filesystem)

log_format =
NOLOG
[root@node01 ~]#
service auditd restart

[4] That's OK, Audit logs on remote hosts are recorded like follows.
[root@dlp ~]#
grep node01 /var/log/audit/audit.log

type=CRED_DISP msg=audit(1626925625.884:110): pid=1141 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/login" hostname=node01.srv.world addr=? terminal=ttyS0 res=success'
type=USER_END msg=audit(1626925625.889:111): pid=1141 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_console,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="root" exe="/usr/bin/login" hostname=node01.srv.world addr=? terminal=ttyS0 res=success'
type=USER_AUTH msg=audit(1626925631.806:120): pid=25720 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/bin/login" hostname=node01.srv.world addr=? terminal=ttyS0 res=success'
.....
.....
Matched Content