This article covers how to configure Linux OS to send audit logs to Chronicle.
About this task
This task applies to Red Hat Enterprise Linux (RHEL) v6 to v8 operating systems.
Requirements
- Connectivity between the forwarder and Linux device.
- The required port (11655) should be enabled in the Rsyslog configuration.
Configuring RHEL Linux OS
Configure Linux OS to send audit logs to Chronicle.
Procedure
- Log in to your Linux OS device, as a root user.
- Type the following commands:
yum install audit
service auditd start
chkconfig auditd on
3. Optional: If you are using RHEL v6 to v7.9, open the /etc/audisp/plugins.d/syslog.conf file and verify that the parameters match the following values:
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string
4. Optional: If you are using RHEL v8, open the /etc/audit/plugins.d/syslog.conf file and verify that the parameters match the following values:
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string
5. Switch to the /etc folder and take the backup of the default rsyslog config
cd /etc/
cp -pr rsyslog.conf rsyslog.conf_bkp_`date +%F`
6. Open the rsyslog config file with the editor of your choice:
nano /etc/rsyslog.conf
7. Add the following line:
-
- After WorkDirectory add as follows
*.* @forwarder IP address:11655
- After WorkDirectory add as follows
Note
@ is for forwarding the logs over the UDP protocol
@@ is for forwarding the logs over the TCP protocol.
8. Press the ctrl+x button along with 2-3 times ENTER to save and exit from nano
9. Restart the rsyslog and auditd service.
service rsyslog restart
service auditd restart
10. Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression, or with a specific hostname, will provide the log source types which are ingesting to chronicle.
Comments
0 comments
Please sign in to leave a comment.