This short note explains steps to direct audit logs to remote rsyslog server on a CentOS/RHEL 6,7 Server.
Server Side Configuration
Perform these steps to set up the syslog server:
1. Uncomment the following lines in the ‘MODULES‘ section of /etc/rsyslog.conf:
# vi /etc/rsyslog.conf $ModLoad imtcp $InputTCPServerRun 514
If you are using UDP then uncomment following lines:
# vi /etc/rsyslog.conf $ModLoad imudp $UDPServerRun 514
2. Configure the rsyslog server to recieve rsyslog events from client. To receive audit logs from client servers, add below lines in the /etc/rsyslog.conf file:
# vi /etc/rsyslog.conf $template HostAudit, "/var/log/rsyslog/%HOSTNAME%/audit_log" local6.* ?HostAudit
3. Restart the rsyslog service.
# service rsyslog restart ### CentOS/RHEL 6 # systemctl restart rsyslog ### CentOS/RHEL 7
Client Side configuration
1. Take the backup of the existing /etc/rsyslog.conf.
# cp /etc/rsyslog.conf /etc/rsyslog.conf.bkp
2. Append the following rules to the /etc/rsyslog.conf file for directing the logs to central rsyslog server. “imfile” module has to be loaded on the rsyslogd, otherwise the configuration for directing the auditd log won’t work.
# vi /etc/rsyslog.conf #audit log $ModLoad imfile $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $InputRunFileMonitor *.* @[serverip] ### Add rsyslog server IP here
Make sure you replace @[serverip] with your rsyslog server IP address.
3. Restart the rsyslog service for the changes to take effect.
# service rsyslog restart ### CentOS/RHEL 6 # systemctl restart rsyslog ### CentOS/RHEL 7