Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-20-2007, 03:06 PM
|
#1
|
|
LQ Newbie
Registered: Oct 2005
Posts: 10
Rep: 
|
Sending audit information with syslog
Hello. I was trying to setup the auditd daemon to send the messages to remote server, by using syslog. Is that possible?, I've just found the aureport tool which allows to query the audit events, but I'd like to retrieve those events from syslog.
If not, is there a way to set some auditing entries with selinux and retrieve by syslog?
Thanks in advance for your help!
|
|
|
|
|
01-10-2008, 06:14 AM
|
#2
|
|
LQ Newbie
Registered: Nov 2007
Posts: 9
Rep:
|
I have the same question.
|
|
|
|
|
01-10-2008, 01:11 PM
|
#3
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
If auditd runs it logs to /var/log/audit/audit.log.
If it doesn't run the messages go to Syslogd.
Syslogd can log to a remote syslog server.
|
|
|
|
|
01-29-2008, 06:02 AM
|
#4
|
|
LQ Newbie
Registered: Nov 2007
Posts: 9
Rep:
|
auditd not the same as syslog
The problem with the syslog is that you cannot audit the things that you can with auditd...for example you cannot audit chmod, chown, symlink, etc..Syslog audits system functions where auditd audits user space.
I am still hoping someone posts a reply with a method to aggregate audit logs, other than the Snare solution.
tks,
rob
|
|
|
|
|
01-29-2008, 08:17 AM
|
#5
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
Quote:
Originally Posted by rparnold
Syslog audits system functions where auditd audits user space.
|
Syslog actively audits nothing, it's just a conduit for transferring kernel and daemon messages someplace.
And if I stop auditd and audctl rules they get logged to syslog perfectly. |
|
|
|
|
01-29-2008, 09:16 AM
|
#6
|
|
LQ Newbie
Registered: Nov 2007
Posts: 9
Rep:
|
audit.rules
OK...stopped the audit daemon and I do not see the auditing of the syscalls that we have defined in audit.rules going to syslog. Is there something else we need to do? We are trying to audit user space syscalls to be CC compliant.
|
|
|
|
|
01-29-2008, 10:31 AM
|
#7
|
|
LQ Newbie
Registered: Nov 2007
Posts: 9
Rep:
|
Thanks for the help
Stopped auditd and user space auditing is now going to syslog-ng and on to a SIEM tool....Now to get the SIEM tool to parse the data...another problem...another thread...another day.
thanks
|
|
|
|
|
01-29-2008, 12:41 PM
|
#8
|
|
Moderator
Registered: May 2001
Posts: 29,417
|
Quote:
Originally Posted by rparnold
OK...stopped the audit daemon and I do not see the auditing of the syscalls that we have defined in audit.rules going to syslog. Is there something else we need to do?
|
To answer that: if you 'auditctl -l' after stopping auditd you'll see there are no rules and you'll have to 'auditctl -a' them to see them in syslog. |
|
|
|
|
01-29-2008, 06:31 PM
|
#9
|
|
Member
Registered: Aug 2007
Location: Florida
Posts: 33
Rep: 
|
www.splunk.com is a commercial central audit log server and real time and interactive analysis. Free up to 500 MB per day. Install SNARE on Windows clients o forward events to the server via UDP messages. EPILOG also from IA audits windows ASCII logs which can be forwarded to syslog server.
|
|
|
|
All times are GMT -5. The time now is 08:06 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
