Console
    Start free

    Collect Linux auditd and Unix system logs

    Supported in:

    This document describes how to collect audit daemon (auditd) and Unix system logs, and use the Google Security Operations forwarder to ingest logs to Google SecOps.

    The procedures in this document have been tested on Debian 11.7 and Ubuntu 22.04 LTS (Jammy Jellyfish).

    Collect logs from auditd and syslog

    You can configure Linux hosts to send auditd logs to a Google SecOps forwarder by using rsyslog.

    1. Deploy the audit daemon and the audit dispatching framework:

      apt-get install auditd audispd-plugins

      If you have already deployed the daemon and framework, skip this step.

    2. Enable logging of all commands (including user and root) by adding the following lines to /etc/audit/rules.d/audit.rules :

      -a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

    3. Restart auditd :

      service auditd restart

    Configure Google SecOps forwarder for auditd

    On the Google SecOps forwarder, specify the following data type:

    - syslog:
    common:
      enabled: true
      data_type: AUDITD
      batch_n_seconds:
      batch_n_bytes:
    tcp_address:
    connection_timeout_sec:

    For more information, see Install and configure the Google SecOps forwarder on Linux .

    Configure syslog

    1. Verify that the parameters in the /etc/audisp/plugins.d/syslog.conf file match the following values:

      active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_LOCAL6
format = string

    2. Modify or create the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:

      local6.* @@  FORWARDER_IP 
: PORT

      Replace <var>FORWARDER_IP</var> and <var>PORT</var> with the IP address and port of your forwarder.

      • The first column indicates which logs are sent from /var/log over rsyslog.
      • The @@ indicates that TCP is used to send the message. To use UDP, use one @ .

    3. Disable local logging to syslog: Add local6.none to the line that configures local syslog logging. The path varies by OS:

      • Debian: /etc/rsyslog.conf
      • Ubuntu: /etc/rsyslog.d/50-default.conf 
      *.*;local6.none;auth,authpriv.none              -/var/log/syslog

    4. Restart the following services:

      service auditd restart
service rsyslog restart

    Collect Unix systems logs

    1. Create or modify the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:

      *.* @@  FORWARDER_IP 
: PORT

    2. Replace <var>FORWARDER_IP</var> and <var>PORT</var> with the IP address and port of your forwarder.

    3. Run the following command to restart the daemon and load the new config:

      sudo service rsyslog restart

    Configure Google SecOps forwarder for Unix logs

    On the Google SecOps forwarder, specify the following data type:

    - syslog:
    common:
      enabled: true
      data_type: NIX_SYSTEM
      batch_n_seconds:
      batch_n_bytes:
    tcp_address:
    connection_timeout_sec:

    For more information, see Install and configure the Google SecOps forwarder on Linux .

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: