Scribd
Upload
99 views4 pages

RHEL8 - Audit Configuration Guide (1) 1

This document contains instructions for configuring standard Linux OS authpriv logs and auditd logs to be forwarded to QRadar SIEM on Red Hat Enterprise Linux 8. It describes editing configuration files like rsyslog.conf and auditd.rules to define log forwarding and filters. Restarting services like rsyslog and auditd is also covered.

Uploaded by

adigozalmurad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views4 pages

RHEL8 - Audit Configuration Guide (1) 1

This document contains instructions for configuring standard Linux OS authpriv logs and auditd logs to be forwarded to QRadar SIEM on Red Hat Enterprise Linux 8. It describes editing configuration files like rsyslog.conf and auditd.rules to define log forwarding and filters. Restarting services like rsyslog and auditd is also covered.

Uploaded by

adigozalmurad
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

RED HAT 8 ENTERPRISE LINUX

Audit Configuration Guide

Information Security
Table of Contents

1 Configuring standard Linux OS authpriv logs .....................................................................2

2 Configuring auditd logs .........................................................................................................2

1
This document contains the detailed information on how to configure audit for Red Hat Enterprise Linux
(RHEL) 8.x Operating Systems for collecting, processing and analysis of audit information by QRadar
SIEM. This document should also be applicable for CentOS and Oracle Linux as using same code base.

1 Configuring standard Linux OS authpriv logs


1. To forward standard Linux OS authpriv events append the following lines to the end of
/etc/rsyslog.conf (replace QRADAR_IP and QRADAR_PORT with actual values):
authpriv.* action(type="omfwd"
queue.filename="qradar_authpriv"
queue.maxdiskspace="1g"
queue.saveonshutdown="on"
queue.type="LinkedList"
action.resumeRetryCount="-1"
Target="QRADAR_IP"
Port="QRADAR_PORT"
Protocol="tcp")

2. Restart rsyslog service:


systemctl restart rsyslog

2 Configuring auditd logs


1. Install audispd-plugins package:
yum install audispd-plugins

2. Edit /etc/audit/plugins.d/syslog.conf file and set its content as:


active = yes
direction = out
path = /sbin/audisp-syslog
type = always
args = LOG_LOCAL6
format = string

3. Edit /etc/audit/rules.d/audit.rules file to suit your needs (see template auditd.rules file that
accompanies this document)

4. Restart auditd service:


service auditd restart

5. Append the following lines to the end of /etc/rsyslog.conf (replace QRADAR_IP and
QRADAR_PORT with actual values):
local6.* action(type="omfwd"
queue.filename="qradar_auditd"
queue.maxdiskspace="1g"
queue.saveonshutdown="on"
queue.type="LinkedList"
action.resumeRetryCount="-1"
Target="QRADAR_IP"
Port="QRADAR_PORT"
Protocol="tcp")

2
6. Restart rsyslog service:
systemctl restart rsyslog

You might also like