Remote Logging of auditd
LC Bruzenak
lenny at magitekltd.com
Mon Jan 22 17:55:59 UTC 2018
On 01/19/2018 07:51 AM, Joshua Ammons wrote:
>
> Hi All,
>
> I wanted to send this out to see if anyone has encountered this
> situation before and, if so, how you handled it. We send our auditd
> logs to a remote central logging server. Is there any way to decode
> the hex encoded fields before sending them along? Similar to the
> ausearch [-i] flag which interprets the encoded value?
>
> For example, the “data” field in a USER_TTY event:
>
> type=USER_TTY msg=audit(1516365981.138:13125): pid=7161 uid=0
> auid=1007 ses=65 data=73657276696365206175646974642073746F70
>
> type=USER_TTY msg=audit(1516367294.919:13331): pid=7161 uid=0
> auid=1007 ses=65 data=73797374656D63746C2073746F7020617564697464
>
> type=USER_TTY msg=audit(1516367648.904:13375): pid=7161 uid=0
> auid=1007 ses=65 data=6964206A6F7368616D6D6F6E73
>
> type=USER_TTY msg=audit(1516367664.832:13378): pid=7161 uid=0
> auid=1007 ses=65
> data=636174202F6574632F706173737764207C2067726570206A6F7368616D6D6F6E73
>
> type=USER_TTY msg=audit(1516367715.041:13388): pid=7161 uid=0
> auid=1007 ses=65
> data=636174202F7661722F6C6F672F61756469742F61756469742E6C6F67207C20677265702022555345525F54545922
>
> We have the following configured in our /etc/rsyslog.conf file:
>
> :programname, isequal, "audispd" @SERVER_NAME:514
>
> :programname, isequal, "auditd" @SERVER_NAME:514
>
> ^^ This, however, will send those fields in their raw format and does
> not decode the values. Is it possible to natively interpret those
> fields before sending them to the remote server?
>
>
Joshua,
What audit version are you using?
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3805 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180122/8d72a5c2/attachment.p7s>
More information about the Linux-audit
mailing list