Hello all, I am re-new to this Mailing List. I am in need to satisfy a security requirement that enables audit log-data traces being sent back to a Centralized Server. I sort of have this working , but I don't think the results are correct.
I have posted a question to [email protected]<mailto:[email protected]> already, but so far no one has replied to my specific plight. I used the following URL from your site about 2 years ago (and again 1 year ago) and now it is time for me to revisit this because the network is finally going to go live. This URL looks close in comparison, but appears to be a little more updated since last year at least: http://wiki.rsyslog.com/index.php/Centralizing_the_audit_log The arrangement of the information in the sections of that Url are more helpful with tidbits of information associated (and identified better than 1 year ago). The issues I am having with my configuration almost exactly the same, (and I have attempted it exactly the same with no difference) is that when I run the ausearch and aureport commands is that they ONLY LOOK at the Centralized Log Server's audit.log file. The commands don't consider files that have HOSTNAME_audit.log as a format. They also do not appear to work with /var/log/audit/HOSTNAME/audit.log as a directory/filename format. I really need this to work, and every time I come back to it there doesn't seem to be anyone stepping up to support. All of the workstations and the single server are running the same OS at the same revision at the same patch level - and that is CentOS-6.7. The CentOS-6.7 systems are all running on HP hardware, and the version of rsyslog according to: rpm -qa | grep syslog Is = rsyslog-5.8.10-10.el6_6.x86_64 Please help me, this task with the centralizing of audit is killing me with stress. Warron French, MBA, SCSA _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
