Configure Audit Service to Send Audit Messages to Another Server

The auditd service does not include the ability to send audit records to a centralised server for management directly. It does include a plug-in for audit event multiplexor to pass audit records to a remote syslog server.

Homelab Setup

We have two servers in our homelab:

1. server1.hl.local – a RHEL 7 server that sends audit messages.
2. server2.hl.local – a RHEL 7 server that receives audit messages.

Configure the Sending Server

Configure auditd to include in the audit log file additional information as well as include the host name.
Open /etc/audit/auditd.conf for editing, and configure the following lines:

log_format = ENRICHED
name_format = HOSTNAME

Enable remote logging. Install audispd-plugins package:

# yum -y install audispd-plugins

Open /etc/audisp/plugins.d/au-remote.conf for editing and set the value for the active option to yes:

active = yes

Open /etc/audisp/audisp-remote.conf for editing and set configuration for the remote logging server:

remote_server = server2.hl.local
port = 60

Restart the auditd service:

# service auditd restart

Configure the Receiving Server

Open /etc/audit/auditd.conf for editing and configure auditd service to listen on TCP port 60:

tcp_listen_port = 60

Open TCP port 60 to enable access to the server:

# firewall-cmd --permanent --add-port=60/tcp
# firewall-cmd --reload

Log out and log back in to the server1. Check the log file on server2:

# grep server1 /var/log/audit/audit.log
node=server1.hl.local type=CRED_REFR msg=audit(1561294797.930:227): pid=2236 uid=0 auid=0 ses=4 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/sshd" hostname=10.11.1.10 addr=10.11.1.10 terminal=ssh res=success' UID="root" AUID="root"