[CentOS] Auditing all Linux clients with centralised server

Fri Jul 9 07:23:45 UTC 2021
J Martin Rushton <martinrushton56 at btinternet.com>

A cut-and-paste from my Wiki:


Remote logging

Auditing, particularly from compute nodes, may be centralised to reduce 
the number of files needed to get a view of the cluster.

The server machine must be configured to accept messages and must have a 
large enough logging area to store the records.

The server listens on port 60. Configure this as tcp_listen_port in 

The server must only accept messages from a privileged port. If this is 
not done any userland process could inject nefarious messages. It is 
safe to configure the server to accept messages from any privileged 
port: tcp_client_ports=1-1023 in /etc/audit/auditd.conf.

On the server increase tcp_listen_queue to 16 to ensure enough requests 
for connections can be handled during a power-on bootup.

You will need to restart the daemon for these changes to come into effect.


The client machines may either forward messages at once or else batch 
them up in a queue. Generally machines with local storage should use the 
queue which preserves the log in the event of a crash.

You will need to restart the daemon for all these changes to come into 
effect: systemctl restart auditd.

Ensure the appropriate software and configuration is loaded: # yum 
install audisp-remote.

The client needs to know where, and to which port to send messages. As 
mentioned above, the client must send from a privileged port.

	remote_server=<server FQDN>

On diskless clients set mode=immediate, on other clients set 
mode=forward. Accept the defaults for queue_file and queue_depth.

By default the dispatcher is configured off, therefore remember to set


to turn on the remote logging.


Once you are happy with the logging, turn off the local copy. For CentOS 
C7.3 and later machines use:

	local_events = no
	log_format = RAW


I have not tested this recently, it was last running (IIRC) on C6/7, so 
proceed with caution.


On 09/07/2021 08:08, Kaushal Shriyan wrote:
> Hi,
> I have 20 Linux servers in the network. Is there a way to audit all Linux
> clients using a centralized server? For example, what commands are run by
> John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to
> track user activity. Which files have been modified or edited or commands
> etc...... by the users.
> I have installed auditd, but it is local to the Linux server.
> Thanks in advance.
> Best Regards,
> Kaushal
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

J Martin Rushton MBCS