Collect Linux auditd and Unix system logs

Supported in:

This document describes how to collect audit daemon (auditd) and Unix system logs, and use the Google SecOps forwarder to ingest logs to Google SecOps.

The procedures in this document have been tested on Debian 11.7 and Ubuntu 22.04 LTS (Jammy Jellyfish).

Collect logs from auditd and syslog

You can configure the Linux hosts to send auditd logs to a Google SecOps forwarder by using rsyslog.

  1. Deploy the audit daemon and the audit dispatching framework by running the following command. If you have already deployed the daemon and framework, you can skip this step.

    apt-get install auditd audispd-plugins
    
  2. To enable logging of all commands, which include the user and root, add the following lines to /etc/audit/rules.d/audit.rules:

    -a exit,always -F arch=b64 -S execve
    -a exit,always -F arch=b32 -S execve
    
  3. Restart auditd by running the following command:

    service auditd restart
    

Configure Google SecOps forwarder for auditd

On the Google SecOps forwarder, specify the following data type:

  - syslog:
    common:
      enabled: true
      data_type: AUDITD
      batch_n_seconds:
      batch_n_bytes:
    tcp_address:
    connection_timeout_sec:

For more information, see Install and configure the Google SecOps forwarder on Linux.

Configure syslog

  1. Verify that the parameters in the /etc/audisp/plugins.d/syslog.conf file match the following values:

    active = yes
    direction = out
    path = /sbin/audisp-syslog
    type = always
    args = LOG_LOCAL6
    format = string
    
  2. Modify or create the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:

    local6.* @@FORWARDER_IP:PORT
    

    Replace FORWARDER_IP and PORT with the IP address and port of your forwarder. The first column indicates which logs are sent from /var/log over rsyslog. The @@ in the second column indicates that TCP is used to send the message. To use UDP, use one @.

  3. To disable local logging to syslog, configure rsyslog by adding local6.none to the line that configures what is logged to local syslog. The file differs for each OS. For Debian the file is /etc/rsyslog.conf, and for Ubuntu the file is /etc/rsyslog.d/50-default.conf:

    *.*;local6.none;auth,authpriv.none              -/var/log/syslog
    
  4. Restart the following services:

    service auditd restart
    service rsyslog restart
    

Collect Unix systems logs

  1. Create or modify the /etc/rsyslog.d/50-default.conf file and add the following line at the end of the file:

    *.*   @@FORWARDER_IP:PORT
    

    Replace FORWARDER_IP and PORT with the IP address of your forwarder. The first column indicates which logs are sent from /var/log over rsyslog. The @@ in the second column indicates that TCP is used to send the message. To use UDP, use one @.

  2. Run the following command to restart the daemon and load the new config:

    sudo service rsyslog restart
    

Configure Google SecOps forwarder for Unix logs

On the Google SecOps forwarder, specify the following data type:

  - syslog:
    common:
      enabled: true
      data_type: NIX_SYSTEM
      batch_n_seconds:
      batch_n_bytes:
    tcp_address:
    connection_timeout_sec:

For more information, see Install and configure the Google SecOps forwarder on Linux.