Running laurel on the collector host to process audit logs from remote hosts

[sngk]

Hi there,

Got similar issue as described in #33. I'm sending my audit logs from hosts a1 and a2 to host "c". I can see the logs from a1 and a2 in /var/log/audit/audit.log file on host "c". However, laurel only transforms local audit logs from host "c" and not from "a1" or "a2".

Logs are being sent via audisp plugin for auditd on TCP port 60.

[hillu]

I have never worked with the audisp remote plugin, so I'm not sure what's going on.

@sngk Can you please verify that auditd on host "c" actually passes logs received from "a1" and "a2" to plugins?

Configure an additional plugin on "c", like so:

active = yes
direction = out
type = always
format = string
path = /usr/local/sbin/auditd-remote-debug

with auditd-remote-debug just consisting of a simple shell script:

#!/bin/sh
cat >> /tmp/auditd-remote-debug.log

[hillu]

@sngk ping?

[sngk]

hi hillu, apologies for the late response.

I managed to test it with the additional plugin and it looks like it doesn't pass the logs from remote hosts to any plugins. The newly created file "auditd-remote-debug.log" only contains logs from host "c". Guess it is not a laurel issue then.

[hillu]

@sngk thanks for your feedback. I am closing this issue for now.

Perhaps it would make sense for you to transport audit records to the collector machine via syslog or other means – and pipe the audit records to laurel. You'd need to make sure that auditd is configured to add the hostname (name, name_format configuration parameters).
Note, however, that some Laurel features that rely on accessing information from /proc/ won't work in this setup.