The auditd service does not include the ability to send audit records to a centralised server for management directly. It does include a plug-in for audit event multiplexor to pass audit records to a remote syslog server.
We have two servers in our homelab:
- server1.hl.local – a RHEL 7 server that sends audit messages.
- server2.hl.local – a RHEL 7 server that receives audit messages.
Configure the Sending Server
Configure auditd to include in the audit log file additional information as well as include the host name.
/etc/audit/auditd.conf for editing, and configure the following lines:
log_format = ENRICHED name_format = HOSTNAME
Enable remote logging. Install
# yum -y install audispd-plugins
/etc/audisp/plugins.d/au-remote.conf for editing and set the value for the active option to yes:
active = yes
/etc/audisp/audisp-remote.conf for editing and set configuration for the remote logging server:
remote_server = server2.hl.local port = 60
Restart the auditd service:
# service auditd restart
Configure the Receiving Server
/etc/audit/auditd.conf for editing and configure auditd service to listen on TCP port 60:
tcp_listen_port = 60
Open TCP port 60 to enable access to the server:
# firewall-cmd --permanent --add-port=60/tcp # firewall-cmd --reload
Log out and log back in to the server1. Check the log file on server2:
# grep server1 /var/log/audit/audit.log node=server1.hl.local type=CRED_REFR msg=audit(1561294797.930:227): pid=2236 uid=0 auid=0 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=10.11.1.10 addr=10.11.1.10 terminal=ssh res=success' UID="root" AUID="root"