How to leverage auditd & rsyslog to send select audit events to specific files or hosts
Issue
-
How can we get selected audit events to show up in /var/log/messages or other log files?
-
Our system has many audit rules and the generated events all show up in
/var/log/audit/audit.log
, but we want certain select events to also be passed to rsyslog for further processing. How can we do this?
Environment
- Red Hat Enterprise Linux
- rsyslog
- auditd
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.