0

I'm trying to do a nfs share. I've configured the share.

Now I want to view the logs associated with the files in the nfs share.

I've created a centralized log server. I don't know the difference between centralized rsyslog and centralized audit log. So I created both.

I created the central rsyslog server using the following link:

http://yallalabs.com/linux/how-to-setup-a-centralized-log-server-using-rsyslog-on-ubuntu-16-04-lts/#comment-2590

And I created the central audit log server using the following link:

https://luppeng.wordpress.com/2016/08/06/setting-up-centralized-logging-with-auditd/

I need to view the audit logs in the server.

I need the logs of the server and the client combined.

I created the same key 'NFS' in both the server and the client, for the file to be monitored in the audit log.

But when I do ausearch -k NFS -i in the server, I get only the logs associated with the server and couldn't find any logs of the client machine.

How can I do this?

I'm a linux newbie. Please help me.

Thank you. :)

Edit1

The following are the steps in my configurations for the nfs:

NFS server:

sudo apt-get install nfs-kernel-server

sudo mkdir /var/nfs/general

sudo nano /etc/exports

  /var/nfs/general *(rw,sync,no_root_squash,no_subtree_check)

sudo exportfs -a

sudo service nfs-kernel-server start

NFS client:

sudo apt-get install nfs-common

sudo mount 172.21.215.101:/var/nfs/general /mnt

Edit2

The following are the configurations of the audit logs

sudo apt-get auditd audispd-plugins

In server side:

sudo yum install firewalld
sudo service firewalld start
sudo firewall-cmd --zone=public --add-port=60/tcp --permanent

sudo nano /etc/audit/auditd.conf
     tcp_listen_port = 60

sudo service auditd restart

In client side:

nano /etc/audisp/audisp-remote.conf
    remote_server = 172.21.215.101
    port = 60

nano /etc/audisp/plugins.d/au-remote.conf
    active = yes

sudo service auditd restart

Edit3

Rsyslog configuration:

In server side:

cp /etc/rsyslog.conf /etc/rsyslog.conf.orig

nano /etc/rsyslog.conf

uncommented the tcp and udp

[...]
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
[...]
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
[...]

nano /etc/rsyslog.d/tmpl.conf
    $template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
    $template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"

    authpriv.* ?TmplAuth
    *.info;mail.none;authpriv.none;cron.none ?TmplMsg

sudo ufw allow 514/tcp
sudo ufw allow 514/udp

sudo ufw reload

systemctl restart rsyslog

In client side:

cp /etc/rsyslog.conf /etc/rsyslog.conf.orig

nano /etc/rsyslog.conf
    [...]
    ##RULES## 
    *.* @192.168.164.78:514
    [...]

systemctl restart rsyslog
Lublaut
  • 123
  • 1
  • 9
  • Hello! I'm sorry, but linking to tutorials isn't sufficient ofr anyone to be able to help you. You need to include the relevant parts of your configuration in your post. Also, it's a bit confusing when you say "the server" - it's not clear to me if you mean the NFS server or the rsyslog server. – Jenny D Jun 18 '18 at 08:53
  • The NFS server and the rsyslog server are the same – Lublaut Jun 18 '18 at 09:28
  • thanks for the additional information! I hope someone will be able to help you find the solution. – Jenny D Jun 18 '18 at 09:46

0 Answers0