CENTOS-RHEL

To forward Audit logs

Install syslog package, if you haven’t installed it

yum -y install rsyslog

Checking the rsyslog.conf

Open a rsyslog.conf file located at /etc/rsyslog.conf by following command

vim /etc/rsyslog.conf

At the end of the file check for the following line and uncomment

$IncludeConfig /etc/rsyslog.d/*.conf

# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

Save and Quit the configuration file.

Create log configuration for Audit logs with vim /etc/rsyslog.d/auditlog.conf and paste following lines below

$ModLoad imfile

# auditd audit.log

$InputFileName /var/log/audit/audit.log ##path of log file

$InputFileTag tag_audit_log:

$InputFileStateFile audit_log

$InputFileSeverity info

$InputFileFacility local6

$InputFilePollInterval 1

$InputFilePersistStateInterval 1

$InputRunFileMonitor

$WorkDirectory /var/lib/rsyslog

$ActionQueueFileName fwdRule1 # unique name prefix for spool files

$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)

$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

$ActionQueueType LinkedList # run asynchronously

$ActionResumeRetryCount -1

local6.* @<Log Collector IP>:514

Save and Quit the configuration file.

Restart rsyslog service

service rsyslog restart

Last updated 1 month ago