Centralizing the audit log
From rsyslog wiki
This is a stub. I am posting a configuration sample that Johnny Tan provided on the rsyslog mailing list.
I use imfile, this is my client stanza:
# auditd audit.log $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $InputRunFileMonitor
And on the server side:
$template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log" local6.* ?HostAudit
> Would be great if you manage to keep the format on the receiving host..
The format is NOT kept due to the syslog prefix. However audit2allow can still read and process the file.
If I need the original format (like for ausearch, and maybe other tools), I would need to run something like this on the server side, in the directory for the host I'm wanting to do the analysis on:
sed 's/^.*tag_audit_log://' audit_log | ausearch -i
Let my add to this post that by using proper templates, it is most probably possible to retain the audit log format. If someone is interested, drop us a line on the mailing list and we will help getting this done.
[edit] Encrypting the traffic
In the above example, traffic is sent unencrypted. However, it is quite simple to encrypt syslog traffic via GSSAPI or TLS with rsyslog. Of course, encrypted transfer modes can be used together with the above configuration.
