Getting AuditD logs from a Linux Host

[mcapra]

Thanks @eloyd!

@krobertson71 let us know if you have additional questions.

[krobertson71]

Unfortunately this does not help. This is not a typical Java multiline event. The audit.log file is not in the same format as messages or secure.log. AuditD will have 3+ records per event recorded. See my first post.

What I am looking for is someone who has auditD enabled and is properly capturing these records into a parseable event.

[eloyd]

Having read your first post three times, I have decided that your best bet is to ask in an Elasticsearch/Logstash forum, not a NLS forum. First result on Google pointed me to http://serverfault.com/questions/609192 ... g-logstash which appears to have some good ideas as to parsing the fields in audit.log. The problem is that these are single-line matches.

audit.log does not always send three lines (for instance, PAM success/failures are single line events and so are SSH session logs). So you can't simply "cat three lines together, send it to NLS, and have it work."

You may be stuck with having to parse three lines and use a smarter filter/query/dashboard in NLS to get the kind of data you're looking for.

[mcapra]

The solutions provided by @eloyd are probably your best options here short of leveraging a third party script/application to reconcile the log events into a single message you can ship to logstash.

[krobertson71]

Sad to hear that. I would have expected Nagios to accommodate all Linux log files, not just refer me to another solution provider.

There is a solution in Splunk that parses AuditD files quite well and is available to use for use if needed.

Unfortunately it looks like I will have to use that solution as we have a project goal for this data.

[eloyd]

Splunk can be a significantly costlier option as well.

[mcapra]

I wouldn't say the elastic community is "another solution provider" since we run their stack under the hood, but that's more semantics than anything.

Let us know if you have additional questions regarding this use case!

[krobertson71]

@EricLoyd

That is true. I work for a very large university on the Medical Center side. Splunk was implemented university wide a couple of years ago. We at the clinical research area were unable to use it at the time due to limited space and politics. This changed about 6 months ago and now have access to send events all we want. We do get a very big discount, but again it is paid for by the University at large.


Again the issue is, we have a big sponsor who is asking us to monitor/collect audit information on all our systems. This would be a FED Audit type requirement. If I cannot properly collect it and present it in a way the audit requires I will have no choice but to use Splunk.

I would rather stick to NLS, but, if I have to say "In order to properly report on this data I will have to forward the events to Splunk since they already have a TA for auditD that includes dashboard and reporting.". Once I go there I can already hear IT leadership saying "Then why don't we just move everything else over instead of splitting up our data.". I won't have a good rebuttal for that due to this.

[eloyd]

Kris,

I'm all for the right tool for the right job. NLS is a hammer. If all you have is a hammer, then everything starts looking like a nail. If you want to "save NLS" at your site, then you'll need a solution. Honestly, I'm not sure what the right solution is other than a pre-processor.

[mcapra]

Looking at the AuditD plugin provided by the Splunk community:
https://github.com/doksu/splunk_auditd/

These are all things that could definitely be ported into Kibana. Unfortunately, it's not something that is on the Nagios Exchange currently by the looks of it.