Overview
For RHEL7.
This took more work than I anticipated.
My goal was this:
- Write audit logs to /var/log/audit
- Forward audit and syslog to central logging server
- Audit logs to NOT appear in /var/log/messages
The items 1 and 2 were easy, number 3, not so much.
audisp, rsyslogd and journald
After using rsyslog to send logs onto a central log collector, I noticed that all the audit logs are still going to ”/var/log/messages” as well as ”/var/log/audit”, not ideal, the only solution that worked, out of the many I tested, is detailed below, the audit logs still go to /var/log/audit (separate LV of course), /var/log/messages doesn’t fill up with audit logs, and all the logs get forwarded to a central log collector. The following configs below seem to work in general, but you may have to tweak them for your application, specifically the rate and burst limiting for journald.
Files of interest are:
- /etc/audisp/plugins.d/syslog.conf – the plugin that forwards audit logs.
- /etc/systemd/journald.conf – journald daemon config, change default values for rate-limiting otherwise message maybe be dropped.
- /etc/rsyslog.conf – configure forwarding and exclude local0
- /etc/auditd/rules.d/audit.rules – I needed exclude ”/var/lib/rsyslog” to stop logging loop, you may not have to do this.
Configure syslog plugin /etc/audisp/plugins.d/syslog.conf to be like the below
active = yes direction = out path = builtin_syslog type = builtin #args = LOG_INFO args = LOG_LOCAL0 format = string
Modify rsyslog.conf, the key change was adding the local0.none
.info;mail.none;authpriv.none;cron.none;local0.none /var/log/messages # Forward logs using TCP to central log collector *.* @@xxx.xxx.xxx.xxx:10514
And now journald.conf, the default is ”RateLimitInterval=30s” and ”RateLimitBurst=1000”, I had to change this as I was seeing dropped journalctl messages – ”journal: Suppressed 10361 messages from”. I had to exclude ”/var/lib/rsyslog” in audit.rules as it was creating thousands of messages, i.e. a logging loop. It is possible that rsyslog can drop messages as well, they will show up as ”imjournal: begin to drop messages due to rate-limiting”, to rate-limit rsyslog you make changes the rsyslog.conf file.
RateLimitInterval=15s RateLimitBurst=3000
If you need to rate-limit rsyslog to can add the following, however, I’ve not tested this.
Old style syslog format
# File to store the position in the journal $IMJournalStateFile imjournal.state $imjournalRatelimitInterval 300 $imjournalRatelimitBurst 30000
Or if you want the new style, all one line.
module(load="imjournal" StateFile="/var/lib/rsyslog/imjournal.state" ratelimit.interval="300" ratelimit.burst="30000")
Testing rate-limiting
Tail your log file
tail -f /var/log/messages
From a second shell
journalctl -f
From a third shell generate some traffic
seq 1 3000 | logger