CentOS 7
Ads

Auditd : Output Logs to Remote Host
2016/02/21
 
Configure Auditd to output logs to remote host.
This example based on environment below.
+----------------------+          |          +----------------------+
| [  Auditd Server   ] |10.0.0.30 | 10.0.0.51| [  Auditd Client   ] |
|     dlp.srv.world    +----------+----------+   node01.srv.world   |
|                      |                     |                      |
+----------------------+                     +----------------------+

[1] Configure Auditd host which receives Audit logs from remote hosts.
[root@dlp ~]#
vi /etc/audit/auditd.conf
# line 25: uncomment and specify listening port

tcp_listen_port =
60
[root@dlp ~]#
service auditd restart
[2] Configure Auditd client host which sends Audit logs.
[root@node01 ~]#
yum -y install audispd-plugins
[root@node01 ~]#
vi /etc/audisp/plugins.d/au-remote.conf
# line 6: change

active =
yes
[root@node01 ~]#
vi /etc/audisp/audisp-remote.conf
# line 6: remote server to send logs

remote_server =
dlp.srv.world
# line 7: specify port (the one which remote server is just listening)

port = 60
[root@node01 ~]#
vi /etc/audit/auditd.conf
# line 6: change (not record logs on local filesystem)

log_format =
NOLOG
[root@node01 ~]#
service auditd restart

[3] It's OK, Audit logs on remote hosts are recorded like follows.
[root@dlp ~]#
tail -5 /var/log/audit/audit.log

node=node01.srv.world type=USER_START msg=audit(1456385789.273:101): pid=1141 uid=0 auid=0 ses=1 msg='op=.....
node=node01.srv.world type=USER_END msg=audit(1456385789.278:102): pid=1141 uid=0 auid=0 ses=1 msg='op=PA.....
node=node01.srv.world type=CRED_DISP msg=audit(1456385789.278:103): pid=1141 uid=0 auid=0 ses=1 msg='op=P.....
node=node01.srv.world type=USER_END msg=audit(1456385791.441:104): pid=1120 uid=0 auid=0 ses=1 msg='op=PA.....
node=node01.srv.world type=CRED_DISP msg=audit(1456385791.442:105): pid=1120 uid=0 auid=0 ses=1 msg='op=P.....
[4] If TCP Wrapper is installed on Audit logs receiver host, it's possible to use TCP access control for Auditd.
[root@dlp ~]#
vi /etc/audit/auditd.conf
# add to the end

use_libwrap = yes
[root@dlp ~]#
service auditd restart
[root@dlp ~]#
vi /etc/hosts.deny
# deny all by default

auditd: ALL
[root@dlp ~]#
vi /etc/hosts.allow
# set allowed hosts

auditd: 10.0.0.51
 
Tweet