LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-20-2007, 03:06 PM   #1
kelo81
LQ Newbie
 
Registered: Oct 2005
Posts: 10

Rep: Reputation: 0
Sending audit information with syslog


Hello. I was trying to setup the auditd daemon to send the messages to remote server, by using syslog. Is that possible?, I've just found the aureport tool which allows to query the audit events, but I'd like to retrieve those events from syslog.
If not, is there a way to set some auditing entries with selinux and retrieve by syslog?

Thanks in advance for your help!
 
Old 01-10-2008, 06:14 AM   #2
rparnold
LQ Newbie
 
Registered: Nov 2007
Posts: 9

Rep: Reputation: 0
I have the same question.
 
Old 01-10-2008, 01:11 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If auditd runs it logs to /var/log/audit/audit.log.
If it doesn't run the messages go to Syslogd.
Syslogd can log to a remote syslog server.
 
Old 01-29-2008, 06:02 AM   #4
rparnold
LQ Newbie
 
Registered: Nov 2007
Posts: 9

Rep: Reputation: 0
auditd not the same as syslog

The problem with the syslog is that you cannot audit the things that you can with auditd...for example you cannot audit chmod, chown, symlink, etc..Syslog audits system functions where auditd audits user space.

I am still hoping someone posts a reply with a method to aggregate audit logs, other than the Snare solution.

tks,
rob
 
Old 01-29-2008, 08:17 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by rparnold View Post
Syslog audits system functions where auditd audits user space.
Syslog actively audits nothing, it's just a conduit for transferring kernel and daemon messages someplace.
And if I stop auditd and audctl rules they get logged to syslog perfectly.
 
Old 01-29-2008, 09:16 AM   #6
rparnold
LQ Newbie
 
Registered: Nov 2007
Posts: 9

Rep: Reputation: 0
audit.rules

OK...stopped the audit daemon and I do not see the auditing of the syscalls that we have defined in audit.rules going to syslog. Is there something else we need to do? We are trying to audit user space syscalls to be CC compliant.
 
Old 01-29-2008, 10:31 AM   #7
rparnold
LQ Newbie
 
Registered: Nov 2007
Posts: 9

Rep: Reputation: 0
Thanks for the help

Stopped auditd and user space auditing is now going to syslog-ng and on to a SIEM tool....Now to get the SIEM tool to parse the data...another problem...another thread...another day.

thanks
 
Old 01-29-2008, 12:41 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by rparnold View Post
OK...stopped the audit daemon and I do not see the auditing of the syscalls that we have defined in audit.rules going to syslog. Is there something else we need to do?
To answer that: if you 'auditctl -l' after stopping auditd you'll see there are no rules and you'll have to 'auditctl -a' them to see them in syslog.
 
Old 01-29-2008, 06:31 PM   #9
ElvisImprsntr
Member
 
Registered: Aug 2007
Location: Florida
Posts: 33

Rep: Reputation: 19
www.splunk.com is a commercial central audit log server and real time and interactive analysis. Free up to 500 MB per day. Install SNARE on Windows clients o forward events to the server via UDP messages. EPILOG also from IA audits windows ASCII logs which can be forwarded to syslog server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
netconsole not sending syslog messages to remote machine cygnus-x1 Linux - General 1 12-06-2007 05:47 PM
/etc/audit.rules - Error sending watch insert request Linux_Learner[LL] Linux - Security 2 07-16-2006 07:19 AM
LXer: Centralized Syslog Server Using syslog-NG LXer Syndicated Linux News 0 04-28-2006 06:21 PM
Syslog level information RajaRC Linux - Networking 1 01-11-2005 04:14 AM
logging information into syslog prisam Linux - Security 1 08-05-2003 09:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:26 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration