Sending audit information with syslog

kelo81 · 12-20-2007, 03:06 PM

Hello. I was trying to setup the auditd daemon to send the messages to remote server, by using syslog. Is that possible?, I've just found the aureport tool which allows to query the audit events, but I'd like to retrieve those events from syslog.
If not, is there a way to set some auditing entries with selinux and retrieve by syslog?

Thanks in advance for your help!

rparnold · 01-10-2008, 06:14 AM

I have the same question.

unSpawn · 01-10-2008, 01:11 PM

If auditd runs it logs to /var/log/audit/audit.log.
If it doesn't run the messages go to Syslogd.
Syslogd can log to a remote syslog server.

rparnold · 01-29-2008, 06:02 AM

The problem with the syslog is that you cannot audit the things that you can with auditd...for example you cannot audit chmod, chown, symlink, etc..Syslog audits system functions where auditd audits user space.

I am still hoping someone posts a reply with a method to aggregate audit logs, other than the Snare solution.

tks,
rob

unSpawn · 01-29-2008, 08:17 AM

Quote:

Originally Posted by rparnold

Syslog audits system functions where auditd audits user space.

Syslog actively audits nothing, it's just a conduit for transferring kernel and daemon messages someplace.
And if I stop auditd and audctl rules they get logged to syslog perfectly.

rparnold · 01-29-2008, 09:16 AM

OK...stopped the audit daemon and I do not see the auditing of the syscalls that we have defined in audit.rules going to syslog. Is there something else we need to do? We are trying to audit user space syscalls to be CC compliant.

rparnold · 01-29-2008, 10:31 AM

Stopped auditd and user space auditing is now going to syslog-ng and on to a SIEM tool....Now to get the SIEM tool to parse the data...another problem...another thread...another day.

thanks

unSpawn · 01-29-2008, 12:41 PM

Quote:

Originally Posted by rparnold

OK...stopped the audit daemon and I do not see the auditing of the syscalls that we have defined in audit.rules going to syslog. Is there something else we need to do?

To answer that: if you 'auditctl -l' after stopping auditd you'll see there are no rules and you'll have to 'auditctl -a' them to see them in syslog.

ElvisImprsntr · 01-29-2008, 06:31 PM

www.splunk.com is a commercial central audit log server and real time and interactive analysis. Free up to 500 MB per day. Install SNARE on Windows clients o forward events to the server via UDP messages. EPILOG also from IA audits windows ASCII logs which can be forwarded to syslog server.