What is the syslog facility for auditd logs?
Trying to forward only my auditd events by syslog, but I don't know which facility to use. I don't want to send everything to my syslog server as it would create redundancy in logging. I've set the audispd syslog plugin to active and from what I understand that should make auditd use syslog for logging the events. Now all I have to do is set the correct facility for auditd's events to forward to my logging server.
Please let me know if I'm mistaken on how this should be done. *I'm trying this on a box CentOS 7
Auditd to syslog plugin facility settings
The Audisp plugin will send auditd data to syslog by default to the user facility. You can change this however.
cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
The key there being Valid options are LOG_LOCAL0 through 7 so you can adjust this to your needs. On my system, they are the above default settings and I get auditd messages in the user facility logs.
My reason for using this configuration is because the au-remote plugin was unreliable, and drops a lot of messages. It also floods my system logs with errors as a result. I also wanted to keep the forwarded auditing logs separate on the aggregation server.
First, configure the syslog plugin :
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO LOG_LOCAL6
Note that there are two arguments for args, the priority and the facility. The LOG_INFO priority means to send all messages that are info or more severe. The facility is basically the rsyslog channel that the audit dispatcher should route the messages into. It can be any of the valid options listed in the documentation for the syslog plugin. I'm just using LOG_LOCAL6 because it's not being used by any other applications in my system, and I want to keep the audit logs separate.
Edit /etc/audisp/plugins.d/au-remote.conf to disable the au-remote plugin:
active = no
The documentation for the syslog plugin recommends the following:
If you are aggregating multiple machines, you should edit auditd.conf to set the name_format to something meaningful and the log_format to enriched. This way you can tell where the event came from and have the user name and groups resolved locally before it is sent off of the machine.
So I used these settings:
NAME_FORMAT = HOSTNAME
LOG_FORMAT = ENRICHED
The audit logs are already being written locally to /etc/audit, so there's no need to edit /etc/rsyslog.conf, and tell it to write the local6 messages from the audit dispatcher to a file. You just need to make sure you have rsyslog configured for forwarding, and the messages will go to the aggregation server.
If you only want the audit messages to be forwarded, do the following in /etc/rsyslog.conf, and restart rsyslog.service:
local6.* @@logs.example.com:514
Restart the audit daemon to apply the settings (don't use systemctl restart):
service restart auditd
Then, on your log aggregation server, edit /etc/rsyslog.conf to write the incoming messages to a dedicated file:
local6* /var/log/auditd-forwarded
Finally, add this log to the log rotation schedule in /etc/logrotate.d/syslog (on the aggregation server):
/var/log/spooler
/var/log/auditd-forwarded
{
missingok
Note: You can optionally put the logrotate configuration in its own file.
This has been verified to work on CentOS 7.