How to Transfer Auditd Logs to a Remote Host on AlmaLinux

How to Transfer Auditd Logs to a Remote Host on AlmaLinux

Introduction

Auditd, the Audit Daemon, is a critical tool for Linux system administrators, providing detailed logging of security-relevant events such as file access, user activities, and system modifications. However, for enhanced security, compliance, and centralized monitoring, it is often necessary to transfer Auditd logs to a remote host. This approach ensures logs remain accessible even if the source server is compromised.

In this guide, we’ll walk you through the process of configuring Auditd to transfer logs to a remote host on AlmaLinux. By following this tutorial, you can set up a robust log management system suitable for compliance with regulatory standards such as PCI DSS, HIPAA, or GDPR.

Prerequisites

Before you begin, ensure the following:

1. AlmaLinux system with Auditd installed: The source system generating the logs.
2. Remote log server: A destination server to receive and store the logs.
3. Sudo privileges: Administrative access to configure services.
4. Stable network connection: Required for reliable log transmission.

Optional: Familiarity with SELinux and firewalld, as these services may need adjustments.

Step 1: Install and Configure Auditd

Install Auditd on the Source System

If Auditd is not already installed on your AlmaLinux system, install it using:

sudo dnf install -y audit audit-libs

Start and Enable Auditd

Ensure the Auditd service is active and enabled at boot:

sudo systemctl enable auditd
sudo systemctl start auditd

Verify Installation

Check that Auditd is running:

sudo systemctl status auditd

Step 2: Set Up Remote Logging

To transfer logs to a remote host, you need to configure Auditd’s audispd plugin system, specifically the audisp-remote plugin.

Edit the Auditd Configuration

1. Open the Auditd configuration file:

   sudo nano /etc/audit/auditd.conf
   

2. Update the following settings:

   • log_format: Set to RAW for compatibility.

     log_format = RAW
     

   • enable_krb5: Disable Kerberos authentication if not in use.

     enable_krb5 = no
     

3. Save and close the file.

Step 3: Configure the audisp-remote Plugin

The audisp-remote plugin is responsible for sending Auditd logs to a remote host.

1. Edit the audisp-remote configuration file:

   sudo nano /etc/audit/plugins.d/audisp-remote.conf
   

2. Update the following settings:

   • active: Ensure the plugin is active:

     active = yes
     

   • direction: Set the transmission direction to out.

     direction = out
     

   • path: Specify the path to the remote plugin executable:

     path = /sbin/audisp-remote
     

   • type: Use the type builtin:

     type = builtin
     

3. Save and close the file.

Step 4: Define the Remote Host

Specify the destination server to receive Auditd logs.

1. Edit the remote server configuration:

   sudo nano /etc/audisp/audisp-remote.conf
   

2. Configure the following parameters:

   • remote_server: Enter the IP address or hostname of the remote server.

     remote_server = <REMOTE_HOST_IP>
     

   • port: Use the default port (60) or a custom port:

     port = 60
     

   • transport: Set to tcp for reliable transmission:

     transport = tcp
     

   • format: Specify the format (encrypted for secure transmission or ascii for plaintext):

     format = ascii
     

3. Save and close the file.

Step 5: Adjust SELinux and Firewall Rules

Update SELinux Policy

If SELinux is enforcing, allow Auditd to send logs to a remote host:

sudo setsebool -P auditd_network_connect 1

Configure Firewall Rules

Ensure the source system can connect to the remote host on the specified port (default: 60):

1. Add a firewall rule:

   sudo firewall-cmd --add-port=60/tcp --permanent
   

2. Reload the firewall:

   sudo firewall-cmd --reload
   

Step 6: Configure the Remote Log Server

The remote server must be set up to receive and store Auditd logs. This can be achieved using auditd or a syslog server like rsyslog or syslog-ng.

Option 1: Using Auditd

1. Install Auditd on the remote server:

   sudo dnf install -y audit audit-libs
   

2. Edit the auditd.conf file:

   sudo nano /etc/audit/auditd.conf
   

3. Update the local_events parameter to disable local logging if only remote logs are needed:

   local_events = no
   

4. Save and close the file.

5. Start the Auditd service:

   sudo systemctl enable auditd
   sudo systemctl start auditd
   

Option 2: Using rsyslog

1. Install rsyslog:

   sudo dnf install -y rsyslog
   

2. Enable TCP reception:

   sudo nano /etc/rsyslog.conf
   

3. Uncomment or add the following lines:

   $ModLoad imtcp
   $InputTCPServerRun 514
   

4. Restart rsyslog:

   sudo systemctl restart rsyslog
   

Step 7: Test the Configuration

1. On the source system, restart Auditd to apply changes:

   sudo systemctl restart auditd
   

2. Generate a test log entry on the source system:

   sudo auditctl -w /etc/passwd -p wa -k test_rule
   sudo echo "test entry" >> /etc/passwd
   

3. Check the remote server for the log entry:

   • For Auditd:

     sudo ausearch -k test_rule
     

   • For rsyslog:

     sudo tail -f /var/log/messages
     

Step 8: Securing the Setup

Enable Encryption

For secure transmission, configure the audisp-remote plugin to use encryption:

1. Set format = encrypted in /etc/audisp/audisp-remote.conf.
2. Ensure both source and remote hosts have proper SSL/TLS certificates.

Implement Network Security

• Use a VPN or SSH tunneling to secure the connection between source and remote hosts.
• Restrict access to the remote log server by allowing only specific IPs.

Step 9: Troubleshooting

1. Logs Not Transferring:

   • Check the Auditd status:

     sudo systemctl status auditd
     

   • Verify the connection to the remote server:

     telnet <REMOTE_HOST_IP> 60
     

2. SELinux or Firewall Blocks:

   • Confirm SELinux settings:

     getsebool auditd_network_connect
     

   • Validate firewall rules:

     sudo firewall-cmd --list-all
     

3. Configuration Errors:

   • Check logs for errors:

     sudo tail -f /var/log/audit/audit.log
     

Conclusion

Transferring Auditd logs to a remote host enhances security, ensures log integrity, and simplifies centralized monitoring. By following this step-by-step guide, you’ve configured Auditd on AlmaLinux to forward logs securely and efficiently.

Implement encryption and network restrictions to safeguard sensitive data during transmission. With a centralized log management system, you can maintain compliance and improve incident response capabilities.