Re: audit logs to remote syslog?
On 01/05/2017 05:41 PM, John Jasen wrote:
I'm currently using audisp with the syslog plugin to send audit
logs off
to a remote server for reduction and archiving, which for the most part,
works reasonably well.
I understand auditd has its own facility for sending to a remote auditd
collector, but haven't played with it. I've also considered using
rsyslog with an imfile directive for /var/log/audit/audit.log.
I'm sure there are options I've not considered -- what are other folks
doing?
Well, actually my team has gone about this sort of in a similar but
different way.
For years, we've sent all audit data from participant machines to a
auditd collector. All events, including the aggregating machine's, are
in one spot and protected.
That, along with some watchful scripts on the senders side, and not
allowing the admins on the other machine to have logins on the collector
machine, has been our way of securing against insider threat as much as
possible given the constraints we have.
Then, the usual search tools are used on the audit standalone
aggregator, along with some custom web-based cruft I hacked to allow
read-only searching from within the LAN. This is where improvements are
needed most for my efforts, but I haven't had time to address.
Now, however, we are sending the aggregated data to an enterprise-level
syslog collector. The version of audit you run dictates if you can do
this easily or if it needs effort.
Steve knows the versions, but each evolution yields something more
helpful than before. My older version (RHEL6.8, audit 2.4.5) means I'm
forced to use the checkpoint search feature, and while inelegant, it
serves the purpose well enough.
IIUC you could do this with the 2.6+ version of audit, using the
"distribute_network" setting. I've been unable to play with that yet
though.
HTH,
LCB
--
Lenny Bruzenak
MagitekLTD