Centralized Logging question #2

Centralized Logging question #2

[Warron S French]

[-- Attachment #1.1: Type: text/plain, Size: 512 bytes --]

If I centralize audit logging through rsyslog, and I have each of the remote machines' /etc/rsyslog.conf to use the same generic audit.log file name instead of customizing the audit logs with something like; HOSTNAME-audit.log, because ausearch apparently only looks for a file specifically of the format audit.log...

Will the log-data submitted from the various hosts be consolidated into a single file?  Will the ausearch command then be usable with the -if argument?





Warron French, MBA, SCSA


[-- Attachment #1.2: Type: text/html, Size: 2839 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Centralized Logging question #2

[Steve Grubb]

On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote:
> If I centralize audit logging through rsyslog, and I have each of the remote
> machines' /etc/rsyslog.conf to use the same generic audit.log file name
> instead of customizing the audit logs with something like;
> HOSTNAME-audit.log, because ausearch apparently only looks for a file
> specifically of the format audit.log...

People who use rsyslog as the centralizing tool are likely to be using 
something else like splunk or other tools to do audit reporting and review.


> Will the log-data submitted from the various hosts be consolidated into a
> single file? 

Through the native audit tools, yes. Through other tools...I don't know. There 
are a variety of ways central logging can be done. I'm surprised no one has 
chimed in to offer an alternate.


> Will the ausearch command then be usable with the -if argument?

Once rsyslog gets the audit event, it adds its own data to the record. That 
messes up the audit tool's parsers.

-Steve

Re: Centralized Logging question #2

[F Rafi]

[-- Attachment #1.1: Type: text/plain, Size: 1573 bytes --]

We're sysloging to a hosted search provider (somewhat like Splunk). They
don't currently support automatic auditd log parsing. However, we have
written custom scheduled alerts based on the syscalls we're logging.

I believe someone also posted a Splunk auditd app a while back.

https://splunkbase.splunk.com/app/2642/

-Farhan

On Fri, Apr 29, 2016 at 3:35 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote:
> > If I centralize audit logging through rsyslog, and I have each of the
> remote
> > machines' /etc/rsyslog.conf to use the same generic audit.log file name
> > instead of customizing the audit logs with something like;
> > HOSTNAME-audit.log, because ausearch apparently only looks for a file
> > specifically of the format audit.log...
>
> People who use rsyslog as the centralizing tool are likely to be using
> something else like splunk or other tools to do audit reporting and review.
>
>
> > Will the log-data submitted from the various hosts be consolidated into a
> > single file?
>
> Through the native audit tools, yes. Through other tools...I don't know.
> There
> are a variety of ways central logging can be done. I'm surprised no one has
> chimed in to offer an alternate.
>
>
> > Will the ausearch command then be usable with the -if argument?
>
> Once rsyslog gets the audit event, it adds its own data to the record. That
> messes up the audit tool's parsers.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>

[-- Attachment #1.2: Type: text/html, Size: 2327 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]