Centralized Auditing
 

I'm interested in using auditd to monitor activities on my servers, but I have searched all around and can't find an answer to this. Does auditd support any sort of centralized logging, the say rsyslog or syslog-ng do? It would be great if I could get the audit logs in a database to start doing statistics on them. But I haven't had much luck finding a solution. Any ideas?

You want to use audisp. It should be installed already on Red-Hat and CentOS machines by default.


This should help get you going in the right direction.
http://linux.die.net/man/5/audisp-remote.conf

http://www.splunk.com is great for log collection and analysis. There is a free license available that might suffice for your needs.

I wouldn't touch splunk not even with a 10ft pole... my 2 centavos :)

Hi,
1. Well if you read man page of auditd, a lot information will be gathered.
2. In order to be specific read fifth section of man page i,e man 5 auditd.conf
3. After this stage you will be able to configure auditd rule to monitor file or directory.
4. 'ausearch' is a command to view the output of auditd. Again you need to refer man page for it.
5. Some examples are as follows:

make sure auditd is up and running.
Suppose you want to monitor/audit /etc/passwd file then issue following command:

What does above command means? -->
'-w' is for file to be watched.;
'-p' is for permissions such as read,write,execute,attribute.
'-k' is for the filter/tag which you can specify on your own.this filter/tag comes handy while reading the report of the auditd.

Please go through the man pages for further examples, it has quite a lot.

If you like or find it useful do click on 'like button'.


"Linux for humanity."