I'm interested in using auditd to monitor activities on my servers, but I have searched all around and can't find an answer to this. Does auditd support any sort of centralized logging, the say rsyslog or syslog-ng do? It would be great if I could get the audit logs in a database to start doing statistics on them. But I haven't had much luck finding a solution. Any ideas?
You want to use audisp. It should be installed already on Red-Hat and CentOS machines by default.
This should help get you going in the right direction.
http://www.splunk.com is great for log collection and analysis. There is a free license available that might suffice for your needs.
1. Well if you read man page of auditd, a lot information will be gathered.
2. In order to be specific read fifth section of man page i,e man 5 auditd.conf
3. After this stage you will be able to configure auditd rule to monitor file or directory.
4. 'ausearch' is a command to view the output of auditd. Again you need to refer man page for it.
5. Some examples are as follows:
make sure auditd is up and running.
Suppose you want to monitor/audit /etc/passwd file then issue following command:
'-w' is for file to be watched.;
'-p' is for permissions such as read,write,execute,attribute.
'-k' is for the filter/tag which you can specify on your own.this filter/tag comes handy while reading the report of the auditd.
Please go through the man pages for further examples, it has quite a lot.
If you like or find it useful do click on 'like button'.
"Linux for humanity."
|All times are GMT -5. The time now is 10:53 PM.|