The following are the steps for direct audit logs of a remote rsyslog server on a CentOS/RHEL 6,7 Server.

 

Server Side Configuration

 

Perform these steps to set up the syslog server:

 

1. Uncomment the following lines in the MODULES section of /etc/rsyslog.conf:

# vi /etc/rsyslog.conf
$ModLoad imtcp
$InputTCPServerRun 514

If you are using UDP then uncomment following lines:

# vi /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514

 

2. Configure the rsyslog server to recieve rsyslog events from client. To receive audit logs from client servers, add below lines in the /etc/rsyslog.conf file:

# vi /etc/rsyslog.conf
$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log"
local6.* ?HostAudit

 

3. Restart the rsyslog service.

# service rsyslog restart       ### CentOS/RHEL 6
# systemctl restart rsyslog     ### CentOS/RHEL 7

 

Client Side configuration

 

1. Take the backup of the existing /etc/rsyslog.conf.

# cp /etc/rsyslog.conf /etc/rsyslog.conf.bkp

 

2. Append the following rules to the /etc/rsyslog.conf file for directing the logs to central rsyslog server. “imfile” module has to be loaded on the rsyslogd, otherwise the configuration for directing the auditd log won’t work.

# vi /etc/rsyslog.conf
#audit log
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor

*.*                                      @[serverip]      ### Add rsyslog server IP here

 

Make sure you replace @[serverip] with your rsyslog server IP address.

 

3. Restart the rsyslog service for the changes to take effect.

# service rsyslog restart       ### CentOS/RHEL 6
# systemctl restart rsyslog     ### CentOS/RHEL 7

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)