Enable Audit logs to send logs to syslog-ng (remote server)
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Enable Audit logs to send logs to syslog-ng (remote server)
Hi,
I have a working syslog-ng 2.1.4 which is running in RHEL 6.1..... Currently we used it for logging network devices.... Now we have planned to log Servers as well..
.... I have done the required changes in audit settings in client side.
cd /etc/audisp/plugins.d/
af_unix.conf syslog.conf
[root@client audit]# cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the
# syslog plugin. It simply takes events and writes
# them to syslog.
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
Syslog Configuration --- have the below in syslog
/etc/syslog.conf
I get the below client logs alone in Syslog-ng server
/var/Network_Log/192.168.1.81
-rw------- 1 root root 101894 Jan 3 17:30 kern.log
-rw------- 1 root root 276 Jan 3 17:30 daemon.log
-rw------- 1 root root 32024 Jan 3 17:35 maillog
-rw------- 1 root root 18689 Jan 3 17:36 cron.log
-rw------- 1 root root 305493 Jan 3 17:37 messages.log
Audit log is also getting updated in messages.log itself.... I want audit.log to be created separately instead of getting updating in messages.log itself.....
I want to know what configuration must be done in syslog-ng to receive audit logs from remote linux servers and update it in an audit log file.....Why I specifically need audit file is we need to share the details on request to our clients... So audit logs present inside messages logs is creating lot of confusion........ I tried many things, but nothing seems to work..... if anyone can assist it can be helpful
In /etc/audisp/plugins.d/syslog.conf "args = LOG_INFO", in /etc/syslog.conf "local6.* @192.168.1.11" but in syslog-ng server conf an odd facility "filter f_audit { facility (13);};" and no destination?
I took this "filter f_audit { facility (13);};" from a forum only as earlier one did not work.... Destination was there.... i was trying with another name, forgot to uncomment it while posting... below is the I have
Let me know what filter should I use for audit logs...
If you use a facility / priority pair of "local6" on the client side then shouldn't the facility on the server side match? Currently it reads "facility (13)" and 'man 3 syslog' says only LOG_LOCAL0 through LOG_LOCAL7 are available.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.