When working with RHEL systems, the audit framework (auditd) provides crucial security event logging at kernel level. For enterprise environments, forwarding these logs to a centralized syslog server enables:
- Real-time security monitoring
- Compliance with log retention policies
- Cross-system event correlation
There are two robust approaches to achieve log forwarding:
Method 1: Using auditd's Built-in Plugin
Edit /etc/audit/auditd.conf:
# Enable syslog forwarding active = yes direction = out path = builtin_syslog type = builtin args = LOG_LOCAL6 format = string
Then configure rsyslog (/etc/rsyslog.conf):
local6.* @central-syslog.example.com:514
Method 2: Using audisp-syslog Plugin
Install the plugin package:
yum install audispd-plugins
Configure /etc/audisp/plugins.d/syslog.conf:
active = yes direction = out path = builtin_syslog type = builtin args = LOG_LOCAL6 LOG_INFO format = string
Filtering Specific Audit Events
Add rules to /etc/audit/audit.rules before forwarding:
# Monitor sudo usage -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
Encrypted Syslog Transport
Configure TLS in rsyslog (/etc/rsyslog.d/encrypt.conf):
$DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/pki/tls/certs/ca-bundle.crt $ActionSendStreamDriverMode 1 local6.* @@(o)central-syslog.example.com:6514
- Log Duplication: Ensure you're not running both methods simultaneously
- Performance Impact: Monitor network bandwidth when forwarding verbose logs
- Timestamp Discrepancies: Implement NTP synchronization across all systems
Test your configuration with:
# Generate test audit event auditctl -w /etc/passwd -p wa -k passwd_change # Check local audit logs ausearch -k passwd_change # Verify remote syslog reception logger -p local6.info "Test message from $(hostname)"
In enterprise environments running RHEL-based systems, the Linux Audit subsystem (auditd) provides crucial security event tracking. However, having logs scattered across multiple servers creates visibility challenges. Forwarding these logs to a centralized syslog server enables:
- Real-time security monitoring
- Event correlation across systems
- Long-term log retention
- Simplified compliance reporting
The audit daemon includes native syslog integration through its audispd plugin system. Here's how to configure it:
# Edit /etc/audit/plugins.d/syslog.conf
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6 LOG_INFO
format = string
This configuration will send audit events to syslog using facility LOCAL6 at INFO priority level.
On your central syslog server (rsyslog), add this configuration to receive and store the audit logs:
# /etc/rsyslog.d/auditd.conf
local6.* /var/log/remote/audit.log
& stop
For better organization, you might want to separate logs by hostname:
# Template for host-specific audit logs
$template RemoteAuditLogs,"/var/log/remote/%HOSTNAME%/audit.log"
local6.* ?RemoteAuditLogs
For environments where syslog forwarding isn't sufficient, the audisp-remote plugin can send logs directly to a remote server:
# /etc/audisp/plugins.d/au-remote.conf
active = yes
direction = out
path = /sbin/audisp-remote
type = always
args = /etc/audisp/audisp-remote.conf
format = string
Then configure the remote destination:
# /etc/audisp/audisp-remote.conf
remote_server = logs.example.com
port = 60
transport = tcp
After making changes, restart the services and test:
# Restart services
systemctl restart auditd
systemctl restart rsyslog
# Generate test audit event
ausearch -m USER_LOGIN
# Check local logs
tail -f /var/log/audit/audit.log
# Verify syslog forwarding
tail -f /var/log/remote/audit.log
If logs aren't appearing as expected:
- Check SELinux context:
audit2allow -a - Verify network connectivity between hosts
- Ensure sufficient disk space on the syslog server
- Confirm proper permissions on log files (typically 0600)
For high-volume environments:
- Use TCP for reliable delivery
- Consider log rotation policies
- Monitor queue sizes in auditd
- Evaluate compression for network transport