1

I would like to redirect the auditd log data into rsyslog instead of audit.log file.

I see that by default in the /etc/audit/auditd.conf the following line has been included to redirect it to

log_file = /var/log/audit/audit.log

Is it possible to redirect the Audit log to syslog or rsyslog on the same machine.

NOTE: I don't have any external log server at this point and would like to test this on the same instance of an RHEL Server where my application is running.

Any Assistance is greatly appreciated.

NOTE: My rsyslog Server and auditd logs are on the same server instance. RHEL-7 --> 3.10.0-862.el7.x86_64

Thank you

Thomas
  • 4,225
  • 5
  • 23
  • 28
anish anil
  • 113
  • 1
  • 4
  • 1
    auditd intentionally maintains its own log: it has tools to process these logs, such as `ausearch`. You should not redirect these to rsyslog. – Michael Hampton May 23 '18 at 17:33

1 Answers1

0

If you want audit logs to be written to /var/log/messages, you can achieve it by editing the active option value in the config file:

# vim /etc/audisp/plugins.d/syslog.conf
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
# systemctl reload auditd
slhck
  • 317
  • 2
  • 17
Rituraj
  • 116
  • 3