search

gdestuynder / audisp-json

42 stars 17 forks source link

Remote audit logs #26

Open pradox090909 opened 5 years ago

pradox090909 commented 5 years ago

Hi,

I am currently trying to get audisp-json working on a server. The plugin does work with local audit entries, but when processing incoming entries from remote servers (which are configured to use the au-remote plugin), I do not get any output. All my systems are using CentOS 7. Am I missing something in the configuration?

cat /etc/audit/auditd.conf                                                                          
#                                                                                                                             
# This file controls the configuration of the audit daemon                                                                    
#                                                                                                                             

local_events = yes                                                                                                            
write_logs = yes                                                                                                              
log_file = /var/log/audit/audit.log                                                                                           
log_group = root                                                                                                              
log_format = ENRICHED                                                                                                         
flush = INCREMENTAL_ASYNC                                                                                                     
freq = 50                                                                                                                     
max_log_file = 8                                                                                                              
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = yes

cat /etc/audisp/audisp-json.conf
mozdef_url = http://node01.local:5532
ssl_verify = no
curl_verbose = no
curl_logfile = /var/log/audisp-json-curl.debug
curl_cainfo = /etc/ssl/certs/mozilla-root.crt
#prepend_msg = {"message": 
#postpend_msg = }
#file_log = /dev/stdout
file_log = /var/log/audit_json.log

cat /etc/audisp/plugins.d/au-json.conf 
active = yes

direction = out
path = /sbin/audisp-json
type = always
#args =
#format = string
gdestuynder commented 5 years ago

hey, ive never tested this with remote entries, and while i would expect "this just works" it's possible that it does not. If you're able to debug why, or to provide a sample of what remote auditd is sending you, i can probably figure it out