Before you begin

Before configuring log forwarding for Linux JournalId, you must set up log ingestion for the Linux Operating System. See Integrating with Linux Servers.

Configuring Log Forwarding for Linux Journald

Auditd Configuration for Log Forwarding

  1. Confirm auditd is installed by entering: auditctl -v
    • Note: Output similar to auditctl version 2.8.2 is expected.
  2. If auditd is not installed, enter the following to install:
    • For Ubuntu: sudo apt install -y auditd audispd-plugins
    • For CentOS: sudo yum install -y audit audispd-plugins
  3. Open /etc/audisp/plugins.d/syslog.conf with sudo and your preferred editor.
  4. Change the option active to yes. The config should look like the following:
    # This file controls the configuration of the syslog plugin.
    # It simply takes events and writes them to syslog. The
    # arguments provided can be the default priority that you
    # want the events written with. And optionally, you can give
    # a second argument indicating the facility that you want events
    # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
    active = yes
    direction = out
    path = builtin_syslog
    type = builtin
    args = LOG_INFO
    format = string
  5. Open /etc/audit/auditd.conf with sudo and your preferred editor.
  6. Replace log_format = RAW with log_format = ENRICHED. The config should look like the following:
    # This file controls the configuration of the audit daemon
    #local_events = yes
    write_logs = yes
    log_file = /var/log/audit/audit.log
    log_group = root
    log_format = ENRICHED
    freq = 50
    max_log_file = 8
    num_logs = 5
    priority_boost = 4
    disp_qos = lossy
    dispatcher = /sbin/audispd
    name_format = NONE
    ##name = mydomain
    max_log_file_action = ROTATE
    space_left = 75
    space_left_action = SYSLOG
    verify_email = yes
    action_mail_acct = root
    admin_space_left = 50
    admin_space_left_action = SUSPEND
    disk_full_action = SUSPEND
    disk_error_action = SUSPEND
    use_libwrap = yes
    ##tcp_listen_port = 60
    tcp_listen_queue = 5
    tcp_max_per_addr = 1
    ##tcp_client_ports = 1024-65535
    tcp_client_max_idle = 0
    enable_krb5 = no
    krb5_principal = auditd
    ##krb5_key_file = /etc/audit/audit.key
    distribute_network = no
  7. Reload/Restart Auditd (typically be entering: service auditd restart)
  8. Configure your watch folders and keys. For example, to monitor all access to the billreyor home folder enter:
    auditctl -w /home/billreyor -k reyor_watch
    echo “-D” > /etc/audit/rules.d/my.rules
    auditctl -l >> /etc/audit/rules.d/my.rules
    service auditd restart

No other options need to be changed in the auditd configuration for log forwarding. The auditd events will now flow into the rsyslogd syslog socket.

At this point the configuration is complete. The logs can also be found in /var/log/messages (or similar catchall log file on your OS) with the journal namespace. The Blumira configuration in /etc/rsyslog.d/ that is handling linux log forwarding will automatically forward the logs.