A cut-and-paste from my Wiki:
-------------------%<------------------------
Remote logging
Auditing, particularly from compute nodes, may be centralised to reduce the number of files needed to get a view of the cluster. Server
The server machine must be configured to accept messages and must have a large enough logging area to store the records.
The server listens on port 60. Configure this as tcp_listen_port in /etc/audit/auditd.conf.
The server must only accept messages from a privileged port. If this is not done any userland process could inject nefarious messages. It is safe to configure the server to accept messages from any privileged port: tcp_client_ports=1-1023 in /etc/audit/auditd.conf.
On the server increase tcp_listen_queue to 16 to ensure enough requests for connections can be handled during a power-on bootup.
You will need to restart the daemon for these changes to come into effect.
Clients
The client machines may either forward messages at once or else batch them up in a queue. Generally machines with local storage should use the queue which preserves the log in the event of a crash.
You will need to restart the daemon for all these changes to come into effect: systemctl restart auditd.
Ensure the appropriate software and configuration is loaded: # yum install audisp-remote. /etc/audisp/audisp-remote.conf
The client needs to know where, and to which port to send messages. As mentioned above, the client must send from a privileged port.
remote_server=<server FQDN> port=60 local_port=61
On diskless clients set mode=immediate, on other clients set mode=forward. Accept the defaults for queue_file and queue_depth. /etc/audisp/plugins.d/au-remote.conf
By default the dispatcher is configured off, therefore remember to set
active=yes
to turn on the remote logging.
/etc/audit/auditd.conf
Once you are happy with the logging, turn off the local copy. For CentOS C7.3 and later machines use:
local_events = no log_format = RAW
------------------%<----------------------------
I have not tested this recently, it was last running (IIRC) on C6/7, so proceed with caution.
Regards, Martin
On 09/07/2021 08:08, Kaushal Shriyan wrote:
Hi,
I have 20 Linux servers in the network. Is there a way to audit all Linux clients using a centralized server? For example, what commands are run by John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to track user activity. Which files have been modified or edited or commands etc...... by the users.
I have installed auditd, but it is local to the Linux server. Thanks in advance.
Best Regards,
Kaushal _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos