# UBUNTU

## To forward Audit logs  

Install syslog package, if you haven’t installed it by executing the below command: 

`apt-get install rsyslog` 

Open the rsyslog.conf file located at /etc/rsyslog.conf by following command:  

`vim /etc/rsyslog.conf` 

At the end of the file check for the following line and uncomment: 

`$IncludeConfig /etc/rsyslog.d/*.conf` 

\# Include all config files in /etc/rsyslog.d/ 

`$IncludeConfig /etc/rsyslog.d/*.conf` 

Save and Quit the configuration file. 

Open a auditd.conf file located at /etc/audit/auditd.conf by following command. 

$ `vim /etc/audit/auditd.conf` 

log\_group = syslog 

Save & Quit the configuration file. 

Restart auditd service to reflect the changes. 

`$ /etc/init.d/auditd restart` 

Create log configuration for Audit logs with vim /etc/rsyslog.d/auditlog.conf and paste following lines below 

`$ModLoad imfile` 

`# auditd audit.log` 

`$InputFileName /var/log/audit/audit.log ##path of log file` 

`$InputFileTag tag_audit_log:` 

`$InputFileStateFile audit_log` 

`$InputFileSeverity info` 

`$InputFileFacility local6` 

```
$InputFilePollInterval 1
```

<pre><code><strong>$InputFilePersistStateInterval 1
</strong></code></pre>

`$InputRunFileMonitor`&#x20;

`local6.* @<LogCollector-IP>:514`&#x20;

Save and Quit the configuration file.&#x20;

Restart rsyslog service&#x20;

`service rsyslog restart`&#x20;