3

I want to setup a central log-server. The log-server is running with debian 6.0.6 and the audit daemon is installed in version 1.7.13-1.

The Clients are running with Red Hat 5.5 and they connect to the log-server via audispd. The connection works fine and i get all messages from each node.

My questions is: is it possible that the auditd daemon from the log server write the messages from each node in a separate file?

I try to transfer the messages via the syslog daemon, that works but i can not use tools like ausearch to analyze these log-files.

johan
  • 31
  • 1

1 Answers1

2

You can easily do it with rsyslog like that

$template DynFile,"/var/log/%HOSTNAME%/%programname%.log"

http://www.rsyslog.com/doc/rsyslog_conf_actions.html

Nikolaidis Fotis
  • 2,032
  • 11
  • 13
  • I try this solution and works fine but i can not use the tools like ausearch for these files. – johan Oct 26 '12 at 10:54
  • why ? because of its format ? you can change it. check the templates in rsyslog – Nikolaidis Fotis Oct 26 '12 at 12:07
  • these are my templates in rsyslog.conf $template auditd, "/var/logClients/%HOSTNAME%-%FROMHOST-IP%/audit.log" $template myFor,"%msg\n" Any idea? – johan Oct 26 '12 at 12:55
  • maybe if you remove \n ?. Also I guess that you know that "myFor" you must use it as " * /var/log/auditd;myFor "; http://www.rsyslog.com/using-a-different-log-format-for-all-files/ – Nikolaidis Fotis Oct 26 '12 at 14:09
  • no, you need this that every message got in a new line. Like in the audit.log – johan Oct 26 '12 at 14:11