LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-14-2011, 04:18 PM   #1
Neruocomp
Member
 
Registered: Oct 2004
Distribution: Slackware, CentOS
Posts: 135

Rep: Reputation: 15
Centralized Auditing


I'm interested in using auditd to monitor activities on my servers, but I have searched all around and can't find an answer to this. Does auditd support any sort of centralized logging, the say rsyslog or syslog-ng do? It would be great if I could get the audit logs in a database to start doing statistics on them. But I haven't had much luck finding a solution. Any ideas?
 
Old 09-14-2011, 04:52 PM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
You want to use audisp. It should be installed already on Red-Hat and CentOS machines by default.


This should help get you going in the right direction.
http://linux.die.net/man/5/audisp-remote.conf
 
Old 09-16-2011, 12:21 AM   #3
jdeklerk
LQ Newbie
 
Registered: May 2009
Posts: 8

Rep: Reputation: 0
http://www.splunk.com is great for log collection and analysis. There is a free license available that might suffice for your needs.
 
Old 09-16-2011, 12:45 AM   #4
SeRi@lDiE
Member
 
Registered: Jun 2006
Location: /dev/null
Distribution: Slackware 13.1, Slackware 13.37, aptosid, rhel
Posts: 538
Blog Entries: 7

Rep: Reputation: 54
Quote:
Originally Posted by jdeklerk View Post
http://www.splunk.com is great for log collection and analysis. There is a free license available that might suffice for your needs.
I wouldn't touch splunk not even with a 10ft pole... my 2 centavos
 
Old 09-16-2011, 02:02 AM   #5
shridhar005
Member
 
Registered: Jul 2008
Posts: 89

Rep: Reputation: 17
Hi,
1. Well if you read man page of auditd, a lot information will be gathered.
2. In order to be specific read fifth section of man page i,e man 5 auditd.conf
3. After this stage you will be able to configure auditd rule to monitor file or directory.
4. 'ausearch' is a command to view the output of auditd. Again you need to refer man page for it.
5. Some examples are as follows:

make sure auditd is up and running.
Suppose you want to monitor/audit /etc/passwd file then issue following command:

Code:
root#auditctl -w /etc/passwd -p war -k Change_bit
What does above command means? -->
'-w' is for file to be watched.;
'-p' is for permissions such as read,write,execute,attribute.
'-k' is for the filter/tag which you can specify on your own.this filter/tag comes handy while reading the report of the auditd.

Please go through the man pages for further examples, it has quite a lot.

If you like or find it useful do click on 'like button'.


"Linux for humanity."
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
bash auditing camry Linux - Security 3 06-06-2012 06:48 AM
Linux auditing BlackCrowe Linux - Security 7 07-07-2011 01:50 PM
Auditing Question jallen21 Linux - Security 3 12-11-2007 11:56 AM
network auditing cynthia_thomas Linux - Networking 2 10-13-2006 06:07 AM
Network Auditing.... againstms Linux - Software 0 11-22-2004 04:17 AM


All times are GMT -5. The time now is 10:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration