Question: Our system has many audit rules and the generated events all show up in /var/log/audit/audit.log, but we want certain select events to also be passed to rsyslog for further processing. How can we do this?
1. Choose what syslog facility (from local0 to local7) to use for the messages that will be delivered to rsyslog (In the following examples, local3 was chosen).
2. Enable the audispd syslog plugin and set the chosen facility
sed -i -e '/^active/s/=.*/= yes/' -e '/^args/s/=.*/= LOG_INFO LOG_LOCAL3/' /etc/audisp/plugins.d/syslog.conf
3. Create rsyslog filter rule(s) so rsyslog can match specific audit event keys or audit message types. For example, to match audit event keys named perm_mod & time-change and event types SYSTEM_SHUTDOWN and USER_LOGIN, add the following to a new rsyslog drop file, e.g., /etc/rsyslog.d/audispd.conf:
## Next line will send all audispd local3 (syslog) messages matching specific keys or types to some file if $syslogfacility-text == 'local3' and $programname == 'audispd' and ($msg contains 'key="perm_mod"' or $msg contains 'key="time-change"' or $msg contains 'type=SYSTEM_SHUTDOWN' or $msg contains 'type=USER_LOGIN') then /var/log/some_log ## Optional: this line will send the same messages to a 2nd file & /var/log/some_other_log ## Optional: this line will send the same messages to a remote host over 514/udp & @10.0.0.1 ## This line will drop all audispd local3 (syslog) messages so they don't end up in other files if $syslogfacility-text == 'local3' and $programname == 'audispd' then ~
4. Restart rsyslog and then auditd:
# service rsyslog restart # service auditd restart
The example rsyslog syntax above is compatible with both rsyslog v5 and rsyslog v7. Regarding CentOS/RHEL 7 – note that the above steps will result in ALL audit events going to systemd-journald.