audit logs to remote syslog?

[Lenny Bruzenak]

On 01/05/2017 05:41 PM, John Jasen wrote:

> I'm currently using audisp with the syslog plugin to send audit logs off
> to a remote server for reduction and archiving, which for the most part,
> works reasonably well.
>
> I understand auditd has its own facility for sending to a remote auditd
> collector, but haven't played with it. I've also considered using
> rsyslog with an imfile directive for /var/log/audit/audit.log.
>
> I'm sure there are options I've not considered -- what are other folks
> doing?

Well, actually my team has gone about this sort of in a similar but 
different way.
For years, we've sent all audit data from participant machines to a 
auditd collector. All events, including the aggregating machine's, are 
in one spot and protected.

That, along with some watchful scripts on the senders side, and not 
allowing the admins on the other machine to have logins on the collector 
machine, has been our way of securing against insider threat as much as 
possible given the constraints we have.

Then, the usual search tools are used on the audit standalone 
aggregator, along with some custom web-based cruft I hacked to allow 
read-only searching from within the LAN. This is where improvements are 
needed most for my efforts, but I haven't had time to address.

Now, however, we are sending the aggregated data to an enterprise-level 
syslog collector. The version of audit you run dictates if you can do 
this easily or if it needs effort.

Steve knows the versions, but each evolution yields something more 
helpful than before. My older version (RHEL6.8, audit 2.4.5) means I'm 
forced to use the checkpoint search feature, and while inelegant, it 
serves the purpose well enough.

IIUC you could do this with the 2.6+ version of audit, using the 
"distribute_network" setting. I've been unable to play with that yet though.

HTH,
LCB

-- 
Lenny Bruzenak
MagitekLTD