Closed lobsec closed 2 months ago
Hi @lobsec, I'm going to transfer this issue to the audit-userspace repository as that is a better place to ask this question.
You say you enabled the syslog plugin, but it shows audisp-remote actually running. If you really want to use syslog, disable the remote plugin and enable the syslog plugin. As of audit-3.0, it is a standalone program and not a builtin. It should be configured like this:
active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_INFO
format = string
Also note that systemd-journald also picks up audit events without doing any enrichment or anything. So, you want to disable this. do this:
systemctl mask systemd-journald-audit.socket
systemctl stop systemd-journald-audit.socket
Restart the audit daemon and check what's running. If the syslog component is running, check your local syslog to see if you have audit events. The next step is to get syslog to syslog transfers working so that all of your local log goes to your syslog server.
If the intention is not to send audit events to syslog but keep them on a remote server, then you can setup audisp-remote on the client and on the server, enabled auditd's networking by uncommenting tcp_listen_port. Take a look at the documentation as it does mention some security steps you might take. This option would send audit events to a remote audit daemon for storage.
The last option would be if your SIEM has it's own transport. In that case enable it as they direct. So, to recap, you have these options:
audisp-syslog->rsyslog(local)->rsyslog(remote) audisp-remote(local)->auditd(remote) siem_plugin(local)->siem(remote)
Hi @stevegrubb and thanks for your prompt reply.
TL;DR As I read on this RedHat KB I modified the syslog.conf plugin form this
active = yes
direction = out
path = /sbin/audisp-syslog
type = builtin
args = LOG_LOCAL6
format = string
to this
active = yes
direction = out
path = /sbin/audisp-syslog
args = LOG_LOCAL6
format = string
restarted the auditd service and it works as a charm!
Hello all, I hope to find someone who can help me to understand what I doing wrong in my enviroment.
The goal is to route all my audit logs to my syslog server and, in order to do that I configured my
/etc/audit/plugins.d/syslog.conf
with this directivesand my
/etc/rsyslog.conf
local6.* @@ip-of-my-remote-siem
The I reboot both
auditd
andrsyslog
services but nothing happend.File
/var/log/audit/audit.log
is full of events (and they continue to grow) but these are not sent to my remote siem.If I check the status of
auditd
I seeMy
rsyslog
serviceIf I try to do a tcpdump on my SIEM on port TCP/514 I don't see any data coming
Does anyone have any idea how I can send these logs to the siem?