UBUNTU

To forward Audit logs

Install syslog package, if you haven’t installed it by executing the below command:

apt-get install rsyslog

Open the rsyslog.conf file located at /etc/rsyslog.conf by following command: 

vim /etc/rsyslog.conf

At the end of the file check for the following line and uncomment:

$IncludeConfig /etc/rsyslog.d/*.conf

# Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

Save and Quit the configuration file.

Open a auditd.conf file located at /etc/audit/auditd.conf by following command.

$ vim /etc/audit/auditd.conf

log_group = syslog

Save & Quit the configuration file.

Restart auditd service to reflect the changes.

$ /etc/init.d/auditd restart

Create log configuration for Audit logs with vim /etc/rsyslog.d/auditlog.conf and paste following lines below

$ModLoad imfile

# auditd audit.log

$InputFileName /var/log/audit/audit.log ##path of log file

$InputFileTag tag_audit_log:

$InputFileStateFile audit_log

$InputFileSeverity info

$InputFileFacility local6

$InputFilePollInterval 1

$InputFilePersistStateInterval 1

$InputRunFileMonitor

local6.* @<LogCollector-IP>:514

Save and Quit the configuration file.

Restart rsyslog service

service rsyslog restart

Last updated 1 year ago