Last active
June 20, 2018 09:20
-
-
Save robdewit/b4211a14fdc6ae79c7faa2e971fdf10f to your computer and use it in GitHub Desktop.
Have auditd log to a remote syslog host
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/auditsp/plugins.d/remotesyslog.conf | |
| # | |
| # This file controls the audispd data path to the | |
| # remote event logger. This plugin will send events to | |
| # a remote machine (Central Logger). | |
| active = yes | |
| direction = out | |
| path = /etc/audisp/remotesyslog.sh | |
| type = always | |
| args = <YOURSYSLOGHOST> | |
| format = string |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Logger keep quitting on EOF from socket so we need | |
| # a sub process around that | |
| ( | |
| while true | |
| do | |
| read LINE || exit | |
| if [ -n "${LINE}" ] | |
| then | |
| /usr/bin/logger --priority auth.info --server ${1} --tag audisp "${LINE}" | |
| fi | |
| sleep 0.01 | |
| done | |
| ) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Setup syslog host with remote reception enabled using classic "syslogd -r" or rsyslog.
Disable writing local logfiles with
write_logs = noin /etc/audit/auditd.conf