How to replace IP with hostname in '/var/log/audit/audit.log' file for sshd related logs?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (all versions)
  • auditd
  • OpenSSH

Issue

  • How to configure the /var/log/audit/audit.log to display hostname instead of IP Address for sshd related logs?
type=USER_LOGIN msg=audit(1626183423.787:11165): pid=17852 uid=0 auid=0 ses=497 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=192.XX.XX.XX addr=192.XX.XX.XX terminal=ssh res=success'

Resolution

  • In order to get the hostname instead of IP address in /var/log/audit/audit.log, add/modify the below directive in /etc/ssh/sshd_config file.
UseDNS yes
  • Restart the sshd service
# service sshd.service restart

Diagnostic Steps

  • After modifying the UseDNS directive in /etc/ssh/sshd_config file we can see the audit.log displaying the hostname field instead of IP Address.
type=USER_LOGIN msg=audit(1626183351.417:11132): pid=17832 uid=0 auid=0 ses=496 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" `hostname=rhel7.example.com` addr=192.XX.XX.XX terminal=ssh res=success'

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments