search

linux-audit / audit-userspace

Linux audit userspace repository
GNU General Public License v2.0
567 stars 201 forks source link

Q: unable to send my logs to remote SIEM #367

Closed lobsec closed 2 months ago

lobsec commented 2 months ago

Hello all, I hope to find someone who can help me to understand what I doing wrong in my enviroment.

SO: Almalinux 9.3
Audit: audit-3.0.7-104.el9.x86_64
Plugin: audispd-plugins-3.0.7-104.el9.x86_64

The goal is to route all my audit logs to my syslog server and, in order to do that I configured my /etc/audit/plugins.d/syslog.conf with this directives

active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string

and my /etc/rsyslog.conf local6.* @@ip-of-my-remote-siem

The I reboot both auditd and rsyslog services but nothing happend.

File /var/log/audit/audit.log is full of events (and they continue to grow) but these are not sent to my remote siem.

If I check the status of auditd I see

# systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-04-19 08:36:41 CEST; 14s ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 3396930 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 3396937 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 3396932 (auditd)
      Tasks: 4 (limit: 48853)
     Memory: 40.3M
        CPU: 17.859s
     CGroup: /system.slice/auditd.service
             ├─3396932 /sbin/auditd
             └─3396934 /sbin/audisp-remote

Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event
Apr 19 08:36:56 myserver audisp-remote[3396934]: queue is full - dropping event

My rsyslog service

# systemctl status rsyslog
● rsyslog.service - System Logging Service
     Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
     Active: active (running) since Fri 2024-04-19 08:20:29 CEST; 18min ago
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 3394650 (rsyslogd)
      Tasks: 3 (limit: 48853)
     Memory: 5.7M
        CPU: 1min 17.506s
     CGroup: /system.slice/rsyslog.service
             └─3394650 /usr/sbin/rsyslogd -n

Apr 19 08:31:23 myserver rsyslogd[3394650]: imjournal from <myserver:audisp-remote>: begin to drop messages due to rate-limiting
Apr 19 08:31:54 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]
Apr 19 08:32:52 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]
Apr 19 08:33:24 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]
Apr 19 08:34:22 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]
Apr 19 08:34:54 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]
Apr 19 08:35:52 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]
Apr 19 08:36:24 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]
Apr 19 08:36:56 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]
Apr 19 08:37:54 myserver rsyslogd[3394650]: imjournal: journal files changed, reloading...  [v8.2102.0-117.el9 try https://www.rsyslog.com/e/0 ]

If I try to do a tcpdump on my SIEM on port TCP/514 I don't see any data coming

Does anyone have any idea how I can send these logs to the siem?

pcmoore commented 2 months ago

Hi @lobsec, I'm going to transfer this issue to the audit-userspace repository as that is a better place to ask this question.

stevegrubb commented 2 months ago

You say you enabled the syslog plugin, but it shows audisp-remote actually running. If you really want to use syslog, disable the remote plugin and enable the syslog plugin. As of audit-3.0, it is a standalone program and not a builtin. It should be configured like this:

active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_INFO
format = string

Also note that systemd-journald also picks up audit events without doing any enrichment or anything. So, you want to disable this. do this:

systemctl mask systemd-journald-audit.socket
systemctl stop systemd-journald-audit.socket

Restart the audit daemon and check what's running. If the syslog component is running, check your local syslog to see if you have audit events. The next step is to get syslog to syslog transfers working so that all of your local log goes to your syslog server.

If the intention is not to send audit events to syslog but keep them on a remote server, then you can setup audisp-remote on the client and on the server, enabled auditd's networking by uncommenting tcp_listen_port. Take a look at the documentation as it does mention some security steps you might take. This option would send audit events to a remote audit daemon for storage.

The last option would be if your SIEM has it's own transport. In that case enable it as they direct. So, to recap, you have these options:

audisp-syslog->rsyslog(local)->rsyslog(remote) audisp-remote(local)->auditd(remote) siem_plugin(local)->siem(remote)

lobsec commented 2 months ago

Hi @stevegrubb and thanks for your prompt reply.

TL;DR As I read on this RedHat KB I modified the syslog.conf plugin form this 

active = yes
direction = out
path = /sbin/audisp-syslog
type = builtin
args = LOG_LOCAL6
format = string

to this

active = yes
direction = out
path = /sbin/audisp-syslog
args = LOG_LOCAL6
format = string

restarted the auditd service and it works as a charm!