Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 09-14-2011, 04:18 PM   #1
Registered: Oct 2004
Distribution: Slackware, CentOS
Posts: 135

Rep: Reputation: 15
Centralized Auditing

I'm interested in using auditd to monitor activities on my servers, but I have searched all around and can't find an answer to this. Does auditd support any sort of centralized logging, the say rsyslog or syslog-ng do? It would be great if I could get the audit logs in a database to start doing statistics on them. But I haven't had much luck finding a solution. Any ideas?
Old 09-14-2011, 04:52 PM   #2
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
You want to use audisp. It should be installed already on Red-Hat and CentOS machines by default.

This should help get you going in the right direction.
Old 09-16-2011, 12:21 AM   #3
LQ Newbie
Registered: May 2009
Posts: 8

Rep: Reputation: 0 is great for log collection and analysis. There is a free license available that might suffice for your needs.
Old 09-16-2011, 12:45 AM   #4
Registered: Jun 2006
Location: /dev/null
Distribution: Slackware 13.1, Slackware 13.37, aptosid, rhel
Posts: 542
Blog Entries: 7

Rep: Reputation: 55
Originally Posted by jdeklerk View Post is great for log collection and analysis. There is a free license available that might suffice for your needs.
I wouldn't touch splunk not even with a 10ft pole... my 2 centavos
Old 09-16-2011, 02:02 AM   #5
Registered: Jul 2008
Posts: 90

Rep: Reputation: 17
1. Well if you read man page of auditd, a lot information will be gathered.
2. In order to be specific read fifth section of man page i,e man 5 auditd.conf
3. After this stage you will be able to configure auditd rule to monitor file or directory.
4. 'ausearch' is a command to view the output of auditd. Again you need to refer man page for it.
5. Some examples are as follows:

make sure auditd is up and running.
Suppose you want to monitor/audit /etc/passwd file then issue following command:

root#auditctl -w /etc/passwd -p war -k Change_bit
What does above command means? -->
'-w' is for file to be watched.;
'-p' is for permissions such as read,write,execute,attribute.
'-k' is for the filter/tag which you can specify on your own.this filter/tag comes handy while reading the report of the auditd.

Please go through the man pages for further examples, it has quite a lot.

If you like or find it useful do click on 'like button'.

"Linux for humanity."


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
bash auditing camry Linux - Security 3 06-06-2012 06:48 AM
Linux auditing BlackCrowe Linux - Security 7 07-07-2011 01:50 PM
Auditing Question jallen21 Linux - Security 3 12-11-2007 11:56 AM
network auditing cynthia_thomas Linux - Networking 2 10-13-2006 06:07 AM
Network Auditing.... againstms Linux - Software 0 11-22-2004 04:17 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:10 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration