I want to setup logging using auditd on multiple clients and send their logs to a central logging server (using audispd-plugins package).
I was following a couple of guides:
https://luppeng.wordpress.com/2016/08/06/setting-up-centralized-logging-with-auditd/https://levelup.gitconnected.com/linux-auditing-system-centralized-logging-to-remote-server-9644089702fb
But I don't see the logs for the client in /var/log/audit/audit.log on the central server.
Here are my steps
Logging Server
sudo apt install -y auditdEdit the logging config file to allow listen to port 60.
sudo vim /etc/audit/auditd.confAdd the following line.
tcp_listen_port = 60Edit /etc/audit/auditd.conf to have the following line:
name_format = hostnameRestart the daemon.
sudo service auditd restartLogging Clients
Install auditd and audispd
sudo apt install -y audispd-pluginsAlter /etc/audit/rules.d
Use the following template and update /etc/audit/rules.d: https://github.com/Neo23x0/auditd/blob/master/audit.rules
sudo sucd /etc/audit/rules.drm audit.ruleswget https://raw.githubusercontent.com/Neo23x0/auditd/master/audit.rulesAlter settings to send logs to Logging Server
vim /etc/audit/audisp-remote.confAdd the following to the top of the conf file.
remote_server = <ip of logging server>port = 60Edit /etc/audit/auditd.conf to have the following line:
name_format = hostnameActivate remote logging pluginsOpen the following file.
vim /etc/audit/plugins.d/au-remote.confEdit the file to match the following.
active = yesFinally, restart the service.
service auditd restart