# CENTOS-RHEL

To forward Audit logs  

Install syslog package, if you haven’t installed it 

`yum -y install rsyslog` 

Checking the rsyslog.conf 

Open a rsyslog.conf file located at /etc/rsyslog.conf by following command 

`#vim/etc/rsyslog.conf` 

At the end of the file check for the following line and uncomment 

`$IncludeConfig /etc/rsyslog.d/*.conf` 

`# Include all config files in /etc/rsyslog.d/` 

`$IncludeConfig /etc/rsyslog.d/*.conf` 

Save and Quit the configuration file. 

Create log configuration for Audit logs with vim /etc/rsyslog.d/auditlog.conf and paste following lines below 

`$ModLoad imfile` 

`# auditd audit.log` 

`$InputFileName /var/log/audit/audit.log ##path of log file` 

`$InputFileTag tag_audit_log:` 

`$InputFileStateFile audit_log` 

`$InputFileSeverity info` 

`$InputFileFacility local6` 

```
$InputFilePollInterval 1
```

<pre class="language-shellscript"><code class="lang-shellscript"><strong>$InputFilePersistStateInterval 1
</strong></code></pre>

`$InputRunFileMonitor`&#x20;

`$WorkDirectory /var/lib/rsyslog`&#x20;

`$ActionQueueFileName fwdRule1 # unique name prefix for spool files`&#x20;

`$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)`&#x20;

`$ActionQueueSaveOnShutdown on # save messages to disk on shutdown`&#x20;

`$ActionQueueType LinkedList # run asynchronously`&#x20;

`$ActionResumeRetryCount -1`&#x20;

`local6.* @<Log Collector IP>:514`&#x20;

Save and Quit the configuration file.&#x20;

Restart rsyslog service&#x20;

`service rsyslog restart`&#x20;