Audit logs not forwarded to remote syslog server on RHEL 8

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 8

Issue

  • RHEL 8 client is configured to send logs to a central syslog server.
  • All logs are successfully being received by the central syslog server except audit logs.
  • Why are the audit logs not being forwarded?

Resolution

  1. Install the audispd-plugins package.
  2. Edit the /etc/audit/plugins.d/syslog.conf file so that active=yes.
  3. Restart the auditd service using the service auditd restart command (not the systemctl command).

Root Cause

Previous to RHEL 8, the audispd configuration was in the /etc/audisp directory. With RHEL 8, Audit 3.0 replaces audispd with auditd in RHEL 8. This results in all configuration files now being in the /etc/audit directory and its sub-directories.

Diagnostic Steps

  • Ensure that the audispd-plugins package is installed and the /etc/audit/plugins.d/syslog.conf file contains the correct parameter.
  • After auditd service is restarted, generate a test audit message using the auditctl -m "Test message" command and verify that it has reached the central syslog server.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments