[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Remote Logging of auditd



On 01/19/2018 07:51 AM, Joshua Ammons wrote:

Hi All,

I wanted to send this out to see if anyone has encountered this situation before and, if so, how you handled it. We send our auditd logs to a remote central logging server. Is there any way to decode the hex encoded fields before sending them along? Similar to the ausearch [-i] flag which interprets the encoded value?

For example, the  “data” field in a USER_TTY event:

type=USER_TTY msg=audit(1516365981.138:13125): pid=7161 uid=0 auid=1007 ses=65 data=73657276696365206175646974642073746F70

type=USER_TTY msg=audit(1516367294.919:13331): pid=7161 uid=0 auid=1007 ses=65 data=73797374656D63746C2073746F7020617564697464

type=USER_TTY msg=audit(1516367648.904:13375): pid=7161 uid=0 auid=1007 ses=65 data=6964206A6F7368616D6D6F6E73

type=USER_TTY msg=audit(1516367664.832:13378): pid=7161 uid=0 auid=1007 ses=65 data=636174202F6574632F706173737764207C2067726570206A6F7368616D6D6F6E73

type=USER_TTY msg=audit(1516367715.041:13388): pid=7161 uid=0 auid=1007 ses=65 data=636174202F7661722F6C6F672F61756469742F61756469742E6C6F67207C20677265702022555345525F54545922

We have the following configured in our /etc/rsyslog.conf file:

:programname, isequal, "audispd" @SERVER_NAME:514

:programname, isequal, "auditd" @SERVER_NAME:514

^^ This, however, will send those fields in their raw format and does not decode the values. Is it possible to natively interpret those fields before sending them to the remote server?



Joshua,

What audit version are you using?
LCB

--
LC (Lenny) Bruzenak
lenny magitekltd com


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]