Before you begin
Before configuring log forwarding for Linux JournalId, you must set up log ingestion for the Linux Operating System. See Integrating with Linux Servers.
Configuring Log Forwarding for Linux Journald
Auditd Configuration for Log Forwarding
- Confirm auditd is installed by entering:
auditctl -v
- Note: Output similar to auditctl version 2.8.2 is expected.
- If auditd is not installed, enter the following to install:
- For Ubuntu:
sudo apt install -y auditd audispd-plugins
- For CentOS:
sudo yum install -y audit audispd-plugins
- For Ubuntu:
- Open
/etc/audisp/plugins.d/syslog.conf
with sudo and your preferred editor. - Change the option active to yes. The config should look like the following:
# This file controls the configuration of the syslog plugin. # It simply takes events and writes them to syslog. The # arguments provided can be the default priority that you # want the events written with. And optionally, you can give # a second argument indicating the facility that you want events # logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH, # LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. active = yes direction = out path = builtin_syslog type = builtin args = LOG_INFO format = string
- Open
/etc/audit/auditd.conf
with sudo and your preferred editor. - Replace log_format = RAW with log_format = ENRICHED. The config should look like the following:
# # This file controls the configuration of the audit daemon #local_events = yes write_logs = yes log_file = /var/log/audit/audit.log log_group = root log_format = ENRICHED flush = INCREMENTAL_ASYNC freq = 50 max_log_file = 8 num_logs = 5 priority_boost = 4 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG verify_email = yes action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND use_libwrap = yes ##tcp_listen_port = 60 tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no
- Reload/Restart Auditd (typically be entering: service auditd restart)
- Configure your watch folders and keys. For example, to monitor all access to the billreyor home folder enter:
auditctl -w /home/billreyor -k reyor_watch echo “-D” > /etc/audit/rules.d/my.rules auditctl -l >> /etc/audit/rules.d/my.rules service auditd restart
No other options need to be changed in the auditd configuration for log forwarding. The auditd events will now flow into the rsyslogd syslog socket.
At this point the configuration is complete. The logs can also be found in /var/log/messages
(or similar catchall log file on your OS) with the journal namespace. The Blumira configuration in /etc/rsyslog.d/
that is handling linux log forwarding will automatically forward the logs.