Configuring your Unix Audit Logs.

With properly configured audit'ing rules, Unix machines are capable of providing a wealth of data regarding your users activity. Using a Syslog configuration it'll only take a minute to get your logs into the cloud.

Unix Audit Logs

1) Add a new config to your /etc/rsyslog.d/ directory.

You'll need a new config file in order to store all of the configuration settings relating to auditing, we named it "02-unix-audit.conf"

sudo vi /etc/rsyslog.d/02-unix-audit.conf
2) Update your config file

Below is the config file for transferring your audit logs to the cloud via syslog, make sure to change the security token to reflect your own found on the account management page.

$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog
 
# Apache access file:
$InputFileName /var/log/audit/audit.log
$InputFileTag unix-audit:
$InputFileStateFile stat-unix-audit
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor
 
#Add a tag for audit events
$template UnixAudit,"LOGSCAPETOKEN:YOUR_SECURITY_TOKEN_HERE LOGSCAPETAG:unix-audit <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% %msg%"
 
if $programname == 'unix-audit' then @@collector.logscape.com:1468;UnixAudit
if $programname == 'unix-audit' then ~

You'll also need to make sure your rsyslog.conf loads imfile with the line

$ModLoad imfile
3) Restart Syslog

You'll need to restart your syslog daemon in order for the changes to take effect.

sudo service restart rsyslog
4) Permissions

By default the audit.log, and the directory that contains it can only be accessed by root, permissions will have to be changed in order to allow syslog read permissions for the directory and file.