Remote Logging of auditd

Mon Jan 22 17:55:59 UTC 2018

On 01/19/2018 07:51 AM, Joshua Ammons wrote:
>
> Hi All,
>
> I wanted to send this out to see if anyone has encountered this 
> situation before and, if so, how you handled it.  We send our auditd 
> logs to a remote central logging server.  Is there any way to decode 
> the hex encoded fields before sending them along?  Similar to the 
> ausearch [-i] flag which interprets the encoded value?
>
> For example, the  “data” field in a USER_TTY event:
>
> type=USER_TTY msg=audit(1516365981.138:13125): pid=7161 uid=0 
> auid=1007 ses=65 data=73657276696365206175646974642073746F70
>
> type=USER_TTY msg=audit(1516367294.919:13331): pid=7161 uid=0 
> auid=1007 ses=65 data=73797374656D63746C2073746F7020617564697464
>
> type=USER_TTY msg=audit(1516367648.904:13375): pid=7161 uid=0 
> auid=1007 ses=65 data=6964206A6F7368616D6D6F6E73
>
> type=USER_TTY msg=audit(1516367664.832:13378): pid=7161 uid=0 
> auid=1007 ses=65 
> data=636174202F6574632F706173737764207C2067726570206A6F7368616D6D6F6E73
>
> type=USER_TTY msg=audit(1516367715.041:13388): pid=7161 uid=0 
> auid=1007 ses=65 
> data=636174202F7661722F6C6F672F61756469742F61756469742E6C6F67207C20677265702022555345525F54545922
>
> We have the following configured in our /etc/rsyslog.conf file:
>
> :programname, isequal, "audispd" @SERVER_NAME:514
>
> :programname, isequal, "auditd" @SERVER_NAME:514
>
> ^^ This, however, will send those fields in their raw format and does 
> not decode the values.  Is it possible to natively interpret those 
> fields before sending them to the remote server?
>
>

Joshua,

What audit version are you using?
LCB

-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3805 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180122/8d72a5c2/attachment.p7s>