LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Centralized Auditing (http://www.linuxquestions.org/questions/linux-security-4/centralized-auditing-903051/)

Neruocomp 09-14-2011 05:18 PM

Centralized Auditing
 
I'm interested in using auditd to monitor activities on my servers, but I have searched all around and can't find an answer to this. Does auditd support any sort of centralized logging, the say rsyslog or syslog-ng do? It would be great if I could get the audit logs in a database to start doing statistics on them. But I haven't had much luck finding a solution. Any ideas?

slimm609 09-14-2011 05:52 PM

You want to use audisp. It should be installed already on Red-Hat and CentOS machines by default.


This should help get you going in the right direction.
http://linux.die.net/man/5/audisp-remote.conf

jdeklerk 09-16-2011 01:21 AM

http://www.splunk.com is great for log collection and analysis. There is a free license available that might suffice for your needs.

SeRi@lDiE 09-16-2011 01:45 AM

Quote:

Originally Posted by jdeklerk (Post 4473183)
http://www.splunk.com is great for log collection and analysis. There is a free license available that might suffice for your needs.

I wouldn't touch splunk not even with a 10ft pole... my 2 centavos :)

shridhar005 09-16-2011 03:02 AM

Hi,
1. Well if you read man page of auditd, a lot information will be gathered.
2. In order to be specific read fifth section of man page i,e man 5 auditd.conf
3. After this stage you will be able to configure auditd rule to monitor file or directory.
4. 'ausearch' is a command to view the output of auditd. Again you need to refer man page for it.
5. Some examples are as follows:

make sure auditd is up and running.
Suppose you want to monitor/audit /etc/passwd file then issue following command:

Code:

root#auditctl -w /etc/passwd -p war -k Change_bit
What does above command means? -->
'-w' is for file to be watched.;
'-p' is for permissions such as read,write,execute,attribute.
'-k' is for the filter/tag which you can specify on your own.this filter/tag comes handy while reading the report of the auditd.

Please go through the man pages for further examples, it has quite a lot.

If you like or find it useful do click on 'like button'.


"Linux for humanity."


All times are GMT -5. The time now is 05:43 AM.