The rsyslog service is used to transmit events from the server to the KUMA collector.
To configure transmission of events from the server to the collector:
systemctl status rsyslog.service
If the rsyslog service is not installed on the server, install it by executing the following command:
yum install rsyslog
systemctl enable rsyslog.service
systemctl start rsyslog.service
name_format=NONE
log_format=ENRICHED
The log_format parameter determines the format of the records generated by the auditd service, and must be set to ENRICHED to have user information saved in events.
After editing the settings, restart the auditd service:
sudo systemctl restart auditd.service
the /etc/rsyslog.d directory, create the audit.conf file with the following content, depending on your protocol:$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
*.* @@<IP address of the KUMA collector>:<port of the KUMA collector>
For example:
*.* @@192.1.3.4:5858
To send events over UDP:$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputRunFileMonitor
template(name="AuditFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag% %msg%\n")
*.* @<IP address of the KUMA collector>:<port of the KUMA collector>
For example:
*.* @192.1.3.4:5858;AuditFormat
systemctl restart rsyslog.service
The event source server is configured. Data about events is transmitted from the server to the KUMA collector.
Page top