How to save audit logs to remote host.

Rossonero224 · 12-24-2009, 08:04 PM

Good morning everybody.
I am building an centre audit system. It means that I have to get the audit logs from kernel and collect all of them to a centre log server.

I used Centos 5.4 and audit-1.7. The "auditd" worked very well and I could easily get audit log in each host. But the problem is "collect audit logs to centre log server".
I had 2 solution for it.
+ The 1st solution is stop "auditd" and I can get audit log pass into syslogd and easily collect all of them to a centre log server. But the format of audit log that I got is changed so that I can't use some tool which come belong with auditd(ausearch and aureport) to make the audit log to be humanable. I don't like that.
+ The 2nd solution is use "audispd" and "audispd-remote" but I don't know how to config them.
Can any one give me an idea.
Thanks

acid_kewpie · 12-25-2009, 01:13 AM

i'd suggest you persist with syslog, just need some fine tuning on the formatting on the central server. Personally I'd recommend syslog-ng centrally to allow a lot of control of the formats and file locations.

Rossonero224 · 12-28-2009, 01:20 AM

Quote:

Originally Posted by acid_kewpie

i'd suggest you persist with syslog, just need some fine tuning on the formatting on the central server. Personally I'd recommend syslog-ng centrally to allow a lot of control of the formats and file locations.

Thanks for your reply.
This feature of syslog-ng is great and I can remove some info in log message that I don't need.
But what about the 2nd solution? Has anynone ever configured audispd and dispathcer for auditd?