From mboxrd@z Thu Jan 1 00:00:00 1970 From: Warron S French Subject: Centralized Logging question #2 Date: Thu, 28 Apr 2016 19:55:13 +0000 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7851257227883748730==" Return-path: Received: from mx1.redhat.com (ext-mx05.extmail.prod.ext.phx2.redhat.com [10.5.110.29]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u3SJtHRX032124 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 28 Apr 2016 15:55:17 -0400 Received: from email5-west.aero.org (email5-west.aero.org [130.221.16.30]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 057933DD47 for ; Thu, 28 Apr 2016 19:55:15 +0000 (UTC) Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============7851257227883748730== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_BY1PR09MB088766EFFA19569A04DF45A4C7650BY1PR09MB0887namp_" --_000_BY1PR09MB088766EFFA19569A04DF45A4C7650BY1PR09MB0887namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable If I centralize audit logging through rsyslog, and I have each of the remot= e machines' /etc/rsyslog.conf to use the same generic audit.log file name i= nstead of customizing the audit logs with something like; HOSTNAME-audit.lo= g, because ausearch apparently only looks for a file specifically of the fo= rmat audit.log... Will the log-data submitted from the various hosts be consolidated into a s= ingle file? Will the ausearch command then be usable with the -if argument= ? Warron French, MBA, SCSA --_000_BY1PR09MB088766EFFA19569A04DF45A4C7650BY1PR09MB0887namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

If I centralize audit logging through rsyslog= , and I have each of the remote machines’ /etc/rsyslog.conf to use th= e same generic audit.log file name instead of customizing the audit logs wi= th something like; HOSTNAME-audit.log, because ausearch apparently only looks for a file specifically of the format audit= .log…

 

Will the log-data submitted from the various hosts b= e consolidated into a single file?  Will the ausearch command then be = usable with the –if argument?

 

 

 

 

 

Warron French, MBA, SCSA

 

--_000_BY1PR09MB088766EFFA19569A04DF45A4C7650BY1PR09MB0887namp_-- --===============7851257227883748730== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7851257227883748730==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Centralized Logging question #2 Date: Fri, 29 Apr 2016 15:35:19 -0400 Message-ID: <2294046.2RPemcXKLg@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote: > If I centralize audit logging through rsyslog, and I have each of the remote > machines' /etc/rsyslog.conf to use the same generic audit.log file name > instead of customizing the audit logs with something like; > HOSTNAME-audit.log, because ausearch apparently only looks for a file > specifically of the format audit.log... People who use rsyslog as the centralizing tool are likely to be using something else like splunk or other tools to do audit reporting and review. > Will the log-data submitted from the various hosts be consolidated into a > single file? Through the native audit tools, yes. Through other tools...I don't know. There are a variety of ways central logging can be done. I'm surprised no one has chimed in to offer an alternate. > Will the ausearch command then be usable with the -if argument? Once rsyslog gets the audit event, it adds its own data to the record. That messes up the audit tool's parsers. -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: F Rafi Subject: Re: Centralized Logging question #2 Date: Fri, 29 Apr 2016 16:05:32 -0400 Message-ID: References: <2294046.2RPemcXKLg@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3672899974194284503==" Return-path: In-Reply-To: <2294046.2RPemcXKLg@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============3672899974194284503== Content-Type: multipart/alternative; boundary=001a11449af64a548c0531a52a07 --001a11449af64a548c0531a52a07 Content-Type: text/plain; charset=UTF-8 We're sysloging to a hosted search provider (somewhat like Splunk). They don't currently support automatic auditd log parsing. However, we have written custom scheduled alerts based on the syscalls we're logging. I believe someone also posted a Splunk auditd app a while back. https://splunkbase.splunk.com/app/2642/ -Farhan On Fri, Apr 29, 2016 at 3:35 PM, Steve Grubb wrote: > On Thursday, April 28, 2016 07:55:13 PM Warron S French wrote: > > If I centralize audit logging through rsyslog, and I have each of the > remote > > machines' /etc/rsyslog.conf to use the same generic audit.log file name > > instead of customizing the audit logs with something like; > > HOSTNAME-audit.log, because ausearch apparently only looks for a file > > specifically of the format audit.log... > > People who use rsyslog as the centralizing tool are likely to be using > something else like splunk or other tools to do audit reporting and review. > > > > Will the log-data submitted from the various hosts be consolidated into a > > single file? > > Through the native audit tools, yes. Through other tools...I don't know. > There > are a variety of ways central logging can be done. I'm surprised no one has > chimed in to offer an alternate. > > > > Will the ausearch command then be usable with the -if argument? > > Once rsyslog gets the audit event, it adds its own data to the record. That > messes up the audit tool's parsers. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > --001a11449af64a548c0531a52a07 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
We're sysloging to a hosted search provider (somewhat = like Splunk). They don't currently support automatic auditd log parsing= . However, we have written custom scheduled alerts based on the syscalls we= 're logging.

I believe someone also posted a Splunk = auditd app a while back.


=
On Fri, Apr 29, 2016 at 3:35 PM, Steve Grubb <s= grubb@redhat.com> wrote:
On Thursday, April 28, 2016 07:55:13 PM Warron S French wrot= e:
> If I centralize audit logging through rsyslog, and I have each of the = remote
> machines' /etc/rsyslog.conf to use the same generic audit.log file= name
> instead of customizing the audit logs with something like;
> HOSTNAME-audit.log, because ausearch apparently only looks for a file<= br> > specifically of the format audit.log...

People who use rsyslog as the centralizing tool are likely to be using
something else like splunk or other tools to do audit reporting and review.=


> Will the log-data submitted from the various hosts be consolidated int= o a
> single file?

Through the native audit tools, yes. Through other tools...I don'= ;t know. There
are a variety of ways central logging can be done. I'm surprised no one= has
chimed in to offer an alternate.


> Will the ausearch command then be usable with the -if argument?

Once rsyslog gets the audit event, it adds its own data to the record. That=
messes up the audit tool's parsers.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-aud= it

--001a11449af64a548c0531a52a07-- --===============3672899974194284503== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============3672899974194284503==--