|
Auditd : Output Logs to Remote Host
2016/07/26 |
|
Configure Auditd to output logs to remote host.
This example based on environment below. +----------------------+ | +----------------------+ | [ Auditd Server ] |10.0.0.30 | 10.0.0.51| [ Auditd Client ] | | dlp.srv.world +----------+----------+ node01.srv.world | | | | | +----------------------+ +----------------------+ |
|
| [1] | Configure Auditd host which receives Audit logs from remote hosts. |
|
[root@dlp ~]#
vi /etc/audit/auditd.conf # line 25: uncomment and specify listening port tcp_listen_port = 60
service auditd restart
|
| [2] | Configure Auditd client host which sends Audit logs. |
|
[root@node01 ~]#
yum -y install audispd-plugins
[root@node01 ~]#
vi /etc/audisp/plugins.d/au-remote.conf # line 6: change active = yes
[root@node01 ~]#
vi /etc/audisp/audisp-remote.conf # line 6: remote server to send logs remote_server = dlp.srv.world
# line 7: specify port (the one which remote server is just listening) port = 60
[root@node01 ~]#
vi /etc/audit/auditd.conf # line 6: change (not record logs on local filesystem) log_format = NOLOG
service auditd restart |
| [3] | It's OK, Audit logs on remote hosts are recorded like follows. |
|
[root@dlp ~]# tail -5 /var/log/audit/audit.log node=node01.srv.world type=USER_START msg=audit(1456385789.273:101): pid=1141 uid=0 auid=0 ses=1 msg='op=..... node=node01.srv.world type=USER_END msg=audit(1456385789.278:102): pid=1141 uid=0 auid=0 ses=1 msg='op=PA..... node=node01.srv.world type=CRED_DISP msg=audit(1456385789.278:103): pid=1141 uid=0 auid=0 ses=1 msg='op=P..... node=node01.srv.world type=USER_END msg=audit(1456385791.441:104): pid=1120 uid=0 auid=0 ses=1 msg='op=PA..... node=node01.srv.world type=CRED_DISP msg=audit(1456385791.442:105): pid=1120 uid=0 auid=0 ses=1 msg='op=P..... |
| [4] | If TCP Wrapper is installed on Audit logs receiver host, it's possible to use TCP access control for Auditd. |
|
[root@dlp ~]#
vi /etc/audit/auditd.conf # add to the end use_libwrap = yes
[root@dlp ~]#
service auditd restart
[root@dlp ~]#
vi /etc/hosts.deny # deny all by default auditd: ALL
[root@dlp ~]#
vi /etc/hosts.allow # set allowed hosts auditd: 10.0.0.51
|