Auditd : Transfer Logs to Remote Host |
Configure Auditd to transfer logs to remote host. This example is based on the environment like follows. +----------------------+ | +----------------------+ | [ Auditd Server ] |10.0.0.30 | 10.0.0.51| [ Auditd Client ] | | dlp.srv.world +----------+----------+ node01.srv.world | | | | | +----------------------+ +----------------------+ | |
| [1] | Configure Auditd Host that receives Audit logs from remote hosts. |
[root@dlp ~]# vi /etc/audit/auditd.conf # line 27 : uncomment and specify listening port tcp_listen_port = 60 service auditd restart # fail by [systemctl restart] because of dependency |
| [2] | If Firewalld is running on Audit receiver Host, allow audit service. |
| [root@dlp ~]# firewall-cmd --add-service=audit success [root@dlp ~]# firewall-cmd --runtime-to-permanent success |
| [3] | Configure Auditd Client Host that sends Audit logs. |
[root@node01 ~]# dnf -y install audispd-plugins [root@node01 ~]# vi /etc/audit/plugins.d/au-remote.conf # line 6 : change active = yes [root@node01 ~]# vi /etc/audit/audisp-remote.conf # line 6 : remote host to send logs remote_server = dlp.srv.world # line 7 : specify port # ⇒ the one which remote server is listening port = 60 [root@node01 ~]# vi /etc/audit/auditd.conf # line 9 : change # ⇒ not record logs on local filesystem log_format = NOLOG service auditd restart |
| [4] | That's OK, Audit logs on remote hosts are recorded like follows. |
| [root@dlp ~]# grep node01 /var/log/audit/audit.log type=SOFTWARE_UPDATE msg=audit(1646975987.725:149): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-1.7.0-11.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=node01.srv.world addr=? terminal=ttyS0 res=success' type=SOFTWARE_UPDATE msg=audit(1646975987.725:150): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-util-bdb-1.6.1-20.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=node01.srv.world addr=? terminal=ttyS0 res=success' type=SOFTWARE_UPDATE msg=audit(1646975987.725:151): pid=1561 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=install sw="apr-util-openssl-1.6.1-20.el9.x86_64" sw_type=rpm key_enforce=0 gpg_res=1 root_dir="/" comm="dnf" exe="/usr/bin/python3.9" hostname=node01.srv.world addr=? terminal=ttyS0 res=success' ..... ..... |
No comments:
Post a Comment