Centralized Auditing
I'm interested in using auditd to monitor activities on my servers, but I have searched all around and can't find an answer to this. Does auditd support any sort of centralized logging, the say rsyslog or syslog-ng do? It would be great if I could get the audit logs in a database to start doing statistics on them. But I haven't had much luck finding a solution. Any ideas?
|
You want to use audisp. It should be installed already on Red-Hat and CentOS machines by default.
This should help get you going in the right direction. http://linux.die.net/man/5/audisp-remote.conf |
http://www.splunk.com is great for log collection and analysis. There is a free license available that might suffice for your needs.
|
Quote:
|
Hi,
1. Well if you read man page of auditd, a lot information will be gathered. 2. In order to be specific read fifth section of man page i,e man 5 auditd.conf 3. After this stage you will be able to configure auditd rule to monitor file or directory. 4. 'ausearch' is a command to view the output of auditd. Again you need to refer man page for it. 5. Some examples are as follows: make sure auditd is up and running. Suppose you want to monitor/audit /etc/passwd file then issue following command: Code:
root#auditctl -w /etc/passwd -p war -k Change_bit '-w' is for file to be watched.; '-p' is for permissions such as read,write,execute,attribute. '-k' is for the filter/tag which you can specify on your own.this filter/tag comes handy while reading the report of the auditd. Please go through the man pages for further examples, it has quite a lot. If you like or find it useful do click on 'like button'. "Linux for humanity." |
All times are GMT -5. The time now is 09:46 PM. |