Console
    Contact Us Start free

    Collect Linux auditd and Unix system logs

    Supported in:

    This document describes how to collect audit daemon (auditd) and Unix system logs, and use the Google Security Operations forwarder to ingest logs to Google SecOps.

    The procedures in this document have been tested on Debian 11.7 and Ubuntu 22.04 LTS (Jammy Jellyfish).

    Collect logs from auditd and syslog

    You can configure the Linux hosts to send auditd logs to a Google SecOps forwarder by using rsyslog.

    1. Deploy the audit daemon and the audit dispatching framework by running the following command. If you have already deployed the daemon and framework, you can skip this step.

       apt-get install auditd audispd-plugins

    2. To enable logging of all commands, which include the user and root, add the following lines to /etc/audit/rules.d/audit.rules :

       -a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

    3. Restart auditd by running the following command:

       service auditd restart

    Configure Google SecOps forwarder for auditd

    On the Google SecOps forwarder, specify the following data type:

       
 - 
  
 syslog 
 : 
  
 common 
 : 
  
 enabled 
 : 
  
 true 
  
 data_type 
 : 
  
 AUDITD 
  
 batch_n_seconds 
 : 
  
 batch_n_bytes 
 : 
  
 tcp_address 
 : 
  
 connection_timeout_sec 
 :

    For more information, see Install and configure the Google SecOps forwarder on Linux .

    Configure syslog

    1. Verify that the parameters in the /etc/audisp/plugins.d/syslog.conf file match the following values:

        active 
  
 = 
  
 yes 
 direction 
  
 = 
  
 out 
 path 
  
 = 
  
 / 
 sbin 
 / 
 audisp 
 - 
 syslog 
 type 
  
 = 
  
 always 
 args 
  
 = 
  
 LOG_LOCAL6 
 format 
  
 = 
  
 string

    2. Modify or create the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:

      local6.* @@  FORWARDER_IP 
: PORT

      Replace FORWARDER_IP and PORT with the IP address and port of your forwarder. The first column indicates which logs are sent from /var/log over rsyslog. The @@ in the second column indicates that TCP is used to send the message. To use UDP, use one @ .

    3. To disable local logging to syslog, configure rsyslog by adding local6.none to the line that configures what is logged to local syslog. The file differs for each OS. For Debian the file is /etc/rsyslog.conf , and for Ubuntu the file is /etc/rsyslog.d/50-default.conf :

        *.* 
 ; 
 local6 
 . 
 none 
 ; 
 auth 
 , 
 authpriv 
 . 
 none 
  
 -/ 
 var 
 / 
 log 
 / 
 syslog

    4. Restart the following services:

      service auditd restart
service rsyslog restart

    Collect Unix systems logs

    1. Create or modify the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:

      *.*   @@  FORWARDER_IP 
: PORT

      Replace FORWARDER_IP and PORT with the IP address of your forwarder. The first column indicates which logs are sent from /var/log over rsyslog. The @@ in the second column indicates that TCP is used to send the message. To use UDP, use one @ .

    2. Run the following command to restart the daemon and load the new config:

      sudo service rsyslog restart

    Configure Google SecOps forwarder for Unix logs

    On the Google SecOps forwarder, specify the following data type:

       
 - 
  
 syslog 
 : 
  
 common 
 : 
  
 enabled 
 : 
  
 true 
  
 data_type 
 : 
  
 NIX_SYSTEM 
  
 batch_n_seconds 
 : 
  
 batch_n_bytes 
 : 
  
 tcp_address 
 : 
  
 connection_timeout_sec 
 :

    For more information, see Install and configure the Google SecOps forwarder on Linux .

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: