Setup CENTOS Centralized AUDIT and RSYSLOG server
- by Warron.French
Attempting to use these links:
Sending audit logs to SYSLOG server or
http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log
I have been unable to get centralized AUDIT logging to work on my ALL-CentOS network environment.
I have 6 workstations dt1...dt6, and the log files are not generated at all and I cannot tell if the messages are being sent from these workstations: dt1..dt6 over to the server (srv1).
I have configured the rsyslog.conf on the workstations as shown in the link: Sending audit logs to SYSLOG server, and add the additional touches for generating the logfiles into a separate directory per YEAR/MONTH/DAY (using proper syntax) and into separate HOSTNAME-based_audit.log files.
Note: RSYSLOG messaging does appear to work from the workstations over to the server, but the audit logging portion is not working.
I am running CentOS-6.5 with RPMs:
audit-2.2-4.el6_5.x86_64,
audit-libs-2.2-4.el6_5.x86_64, and
rsyslog-5.8.10-8.el6.x86_64
I have gotten zero responses from wiki.rsyslog.com and really need this to work.
If needed I can send files of one of my workstations and the server to aid in the process.
Thanks,
Warron