Reputation: 11
How to send audit.log to remote server with syslog-ng
Good day,
I have SLES 10 with syslog-ng (syslog-ng-1.6.8-20.23.1) and I cannot get the proper configuration so the file /var/log/audit/audit.log is sent to the remote syslog server.
I used tcpdump and I can see some details in the packets that are sent to the remote server, but I am not seeing anything with the audit format in the tcp packet.
filter f_audit { facility(13); };
filter f_audit2 {facility(security);};
destination d_local_facility {
file("/var/log/$FACILITY/$FACILITY.log");
destination d_remote_loghost { tcp("$hostname" port(514)); };
log {
source(s_local);
destination(d_remote_loghost5);
};
What am I doing wrong?
Upvotes: 0
Views: 3711
Answers (2)
Reputation: 11
In SLES 10, I finally used a script at boot. The file after.local is the equivalent of rc.local
So, in /etc/init.d/after.local:
nohup /usr/bin/tailf /var/log/audit/audit.log | /bin/logger -t audispd -p local6.info &
Its easier in SLES 11 because the auditspd dispatcher exists.
Upvotes: 0
Reputation: 557
You have to configure a file source in syslog-ng that reads the /var/log/audit/audit.log file, and include this source in a log statement. I can't see that in your config file.
BTW, syslog-ng version 1.6 is ancient beyond words. syslog-ng 3.7 can parse auditd logs to extract information, so you might want to upgrade. You can find some SLES packages for syslog-ng at https://syslog-ng.org/3rd-party-binaries/
Upvotes: 1
Related Questions
- How to start Syslogd server on Mac to accept remote logging messages?
- logging with syslog-ng and systemd
- Sending logs from a syslog-ng client to a rsyslog server
- remote syslog server not getting IP address from syslog-ng when forwarding apache log
- How to log to AUDITD from application?
- Forwarding message to syslog server
- how to send log to a remote log server through rsyslog?
- Syslog-ng forward raw log only
- how to forward specific log file to a remote rsyslog server
- Nginx logging to remote rsyslog