CentOS Stream 10
Sponsored Link

Auditd : Transfer Logs to Remote Host
2025/01/02
 

Configure Auditd to transfer logs to remote host.
This example is based on the environment like follows. 

+----------------------+          |          +----------------------+
| [  Auditd Server   ] |10.0.0.30 | 10.0.0.51| [  Auditd Client   ] |
|     dlp.srv.world    +----------+----------+    node01.srv.world  |
|                      |                     |                      |
+----------------------+                     +----------------------+
[1] Configure Auditd Host that receives Audit logs from remote hosts.
[root@dlp ~]#
vi /etc/audit/auditd.conf
# line 27 : uncomment and specify listening port

tcp_listen_port =
60
[root@dlp ~]#
service auditd restart

# fail by [systemctl restart] because of dependency
[2] If Firewalld is running on Audit receiver Host, allow audit service.
[root@dlp ~]#
firewall-cmd --add-service=audit

success
[root@dlp ~]#
firewall-cmd --runtime-to-permanent

success
[3] Configure Auditd Client Host that sends Audit logs.
[root@node01 ~]#
dnf -y install audispd-plugins
[root@node01 ~]#
vi /etc/audit/plugins.d/au-remote.conf
# line 6 : change

active =
yes
[root@node01 ~]#
vi /etc/audit/audisp-remote.conf
# line 6 : remote host to send logs

remote_server =
dlp.srv.world
# line 7 : specify port
# ⇒ the one which remote server is listening

port = 60
[root@node01 ~]#
vi /etc/audit/auditd.conf
# line 9 : change
# ⇒ not record logs on local filesystem

log_format =
NOLOG
[root@node01 ~]#
service auditd restart

[4] That's OK, Audit logs on remote hosts are recorded like follows.
[root@dlp ~]#
grep node01 /var/log/audit/audit.log 

type=CRED_DISP msg=audit(1735797147.370:138): pid=955 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_unix acct="root" exe="/usr/bin/login" hostname=node01.srv.world addr=? terminal=/dev/ttyS0 res=success'
type=USER_END msg=audit(1735797147.374:140): pid=955 uid=0 auid=0 ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="root" exe="/usr/bin/login" hostname=node01.srv.world addr=? terminal=/dev/ttyS0 res=success'
type=USER_AUTH msg=audit(1735797162.030:59): pid=957 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_unix acct="root" exe="/usr/bin/login" hostname=node01.srv.world addr=? terminal=/dev/ttyS0 res=success'
.....
.....
Matched Content