Overview
Blumira’s modern cloud SIEM platform integrates with Linux Auditd to detect cybersecurity threats and provide an automated or actionable response to remediate when a threat is detected.
When configured, the Blumira integration with Auditd will stream audit event logs to the Blumira service for automated threat detection and actionable response.
Before you begin
Before configuring log forwarding for Linux Auditd, you must set up log ingestion for the Linux Operating System. See Integrating with Linux Servers.
Configuring log forwarding for Linux Auditd
- Confirm auditd is installed by entering:
auditctl -v
- Note: Output similar to auditctl version 2.8.2 is expected.
- If auditd is not installed, enter the following to install:
- For Ubuntu:
sudo apt install -y auditd audispd-plugins
- For CentOS:
sudo yum install -y audit audispd-plugins
- For Ubuntu:
- Open
/etc/audisp/plugins.d/syslog.conf
with sudo and your preferred editor. - Change the option active to yes. The config should look like the following:
# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH,
# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER.
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string - Open
/etc/audit/auditd.conf
with sudo and your preferred editor. - Replace log_format = RAW with log_format = ENRICHED. The config should look like the following:
#
# This file controls the configuration of the audit daemon
#local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no - Reload/Restart Auditd (typically be entering: service auditd restart)
- Configure your watch folders and keys. For example, to monitor all access to the billreyor home folder enter:
auditctl -w /home/billreyor -k reyor_watch
echo “-D” > /etc/audit/rules.d/my.rules
auditctl -l >> /etc/audit/rules.d/my.rules
service auditd restart
No other options need to be changed in the auditd configuration for log forwarding. The auditd events will now flow into the rsyslogd syslog socket.
At this point the configuration is complete. The logs can also be found in /var/log/messages
(or similar catchall log file on your OS) with the journal namespace. The Blumira configuration in /etc/rsyslog.d/
that is handling linux log forwarding will automatically forward the logs.