A cut-and-paste from my Wiki: -------------------%<------------------------ Remote logging Auditing, particularly from compute nodes, may be centralised to reduce the number of files needed to get a view of the cluster. Server The server machine must be configured to accept messages and must have a large enough logging area to store the records. The server listens on port 60. Configure this as tcp_listen_port in /etc/audit/auditd.conf. The server must only accept messages from a privileged port. If this is not done any userland process could inject nefarious messages. It is safe to configure the server to accept messages from any privileged port: tcp_client_ports=1-1023 in /etc/audit/auditd.conf. On the server increase tcp_listen_queue to 16 to ensure enough requests for connections can be handled during a power-on bootup. You will need to restart the daemon for these changes to come into effect. Clients The client machines may either forward messages at once or else batch them up in a queue. Generally machines with local storage should use the queue which preserves the log in the event of a crash. You will need to restart the daemon for all these changes to come into effect: systemctl restart auditd. Ensure the appropriate software and configuration is loaded: # yum install audisp-remote. /etc/audisp/audisp-remote.conf The client needs to know where, and to which port to send messages. As mentioned above, the client must send from a privileged port. remote_server=<server FQDN> port=60 local_port=61 On diskless clients set mode=immediate, on other clients set mode=forward. Accept the defaults for queue_file and queue_depth. /etc/audisp/plugins.d/au-remote.conf By default the dispatcher is configured off, therefore remember to set active=yes to turn on the remote logging. /etc/audit/auditd.conf Once you are happy with the logging, turn off the local copy. For CentOS C7.3 and later machines use: local_events = no log_format = RAW ------------------%<---------------------------- I have not tested this recently, it was last running (IIRC) on C6/7, so proceed with caution. Regards, Martin On 09/07/2021 08:08, Kaushal Shriyan wrote: > Hi, > > I have 20 Linux servers in the network. Is there a way to audit all Linux > clients using a centralized server? For example, what commands are run by > John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to > track user activity. Which files have been modified or edited or commands > etc...... by the users. > > I have installed auditd, but it is local to the Linux server. > Thanks in advance. > > Best Regards, > > Kaushal > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- J Martin Rushton MBCS